Phishing

Just as a fisherman throws out a baited hook in hopes of luring a fish, Internet “phishers” also cast out shiny, attention-getting messages in hopes of reeling in an unsuspecting victim. “Phishing” refers to Internet crooks sending e-mails, texts, or instant messages urgently requesting personal information, such as passwords or credit card numbers, in the hopes that an unsuspecting recipient will take the “bait.” These messages purport to be from a legitimate company, even sometimes from FSU! In reality, they are attempts at tricking you into revealing sensitive, personal information. FSU personnel will NEVER ask for your password by any means. If you receive an email, phone call, etc. asking for your password, it is most likely a phishing attempt so do not give out your password.

To report a potential Phishing attempt you can use the Phish Alert Button.

Here are 9 tips on how to identify a phishing or spoofing email.

• Tip 1: Don’t trust the display name

  A favorite phishing tactic among cybercriminals is to spoof the display name of an email. Return Path analyzed more than 760,000 email threats targeting 40 of the world’s largest brands and found that nearly half of all email threats spoofed the brand in the display name.

  Here’s how it works: If a fraudster wanted to spoof the hypothetical brand “My Bank,” the email may look something like:

  

  Since My Bank doesn’t own the domain “secure.com,” this is a very good sign that this email is a scam. This fraudulent email, once delivered, appears legitimate because most user inboxes only present the display name. For example, an email may appear to be from FSU IT Help Desk, however when you look closely at the “From” address, instead of coming from ithd@517b2b.com, it actually comes from a strange domain such as frostburg@iwillscamyou.com. Don’t trust the display name! Always check the “From” address- if it looks suspicious, don’t open the email.

• Tip 2: Look but don’t click

  Hover your mouse over any links embedded in the body of the email, or hold your finger down over the link on a mobile device. The true destination of the link will appear. If the link address looks weird, don’t click on it! See the examples that claim to be from Verizon below but are really not:

  

  

• Tip 3: Check for spelling mistakes

  Brands are pretty serious about email. Legitimate messages usually do not have major spelling mistakes or poor grammar. Read your emails carefully and report anything that seems suspicious.

• Tip 4: Analyze the salutation

  Is the email addressed to a vague “Valued Customer?” If so, watch out—legitimate businesses will often use a personal salutation with your first and last name.

• Tip 5: Don’t give up personal information

  Legitimate banks and most other companies will never ask for personal credentials via email. Don’t give them up.

• Tip 6: Beware of urgent or threatening language in the subject line

  Invoking a sense of urgency or fear is a common phishing tactic. Beware of subject lines that claim your “account has been suspended” or your account had an “unauthorized login attempt.”

• Tip 7: Review the signature

  Lack of details about the signer or how you can contact a company strongly suggests a phish. Legitimate businesses always provide contact details.

• Tip 8: Don’t click on attachments

  Including malicious attachments that contain viruses and malware is a common phishing tactic. Malware can damage files on your computer, steal your passwords or spy on you without your knowledge. Don’t open any email attachments you weren’t expecting.

• Tip 9: Don’t believe everything you see

  Phishers are extremely good at what they do. Just because an email has convincing brand logos, language, and a seemingly valid email address, does not mean that it’s legitimate. Be skeptical when it comes to your email messages—if it looks even remotely suspicious, don’t open it.