Email Security - Phishing
What is Phishing?
Phishing is a commonly used online scam that attempts to trick you into providing your personal information such as your Login ID and Password, credit card number or Social Security Number. Phishing attacks use email and/or malicious websites (clicking on a link) to collect personal and financial information or infect your machine with malware and viruses.
Remember: Google/Gmail will never send you an email to ask you for your login information and password via email or web form unless you are signing in to Gmail. Anyone asking for this type of information via email is undoubtedly a fraud.
Why is Phishing bad?
Successful phishing scams can have severe consequences not only to the individual whose account has been compromised (personal risk) but also to Gallaudet University (institutional risk).
Phishing email tries to trick you into giving your personal information, like your Login ID and Password or credit card number. Rather than try to get you to buy something, phishing messages usually have a threatening tone in an attempt to fool you into thinking something bad will happen if you don't respond. For example, the message might say something along the lines of "You have violated our terms & service which has been reported to our servers daily. You are required to to verify your account now to secure your mails on our database to avoid shutting down your email within 10-hours." Supplying a phisher with your information can have a number of negative consequences including:
- Phishers can use the data to access your account and withdraw your money or purchase merchandise or services.
- Phishers can use the data to open new bank or credit-card accounts in your name(s), and use the new account to cash illegitimate checks or purchase merchandise.
- Phishers can install computer viruses and worms on your computer and send the phishing emails to more people.
- When phishers successfully obtain user credentials for some systems, they not only gain access to the accounts that use the credentials, but they can potentially access high-value institutional data such as social security numbers, health information, student data, etc.
- Internet or financial services companies can blacklist institutions, resulting in reputational damage.
- When an institution is blacklisted, its ability to communicate with members of the community (prospective students, student athletes, faculty and staff; alumni, partners, friends, etc.) is diminished.
- We use the valuable time of staff members (IT, legal, HR and financial departments) to address the issues caused by phishing and spoofing, rather than applying their skills to more productive work.
How can I recognize a Phishing email?
Here is an example of what a phishing scam in an email message might look like:
What to look for:
- Spelling and bad grammar. Cybercriminals are not known for their grammar and spelling. Professional companies or organizations usually have a staff of copy editors that will not allow a mass email like this to go out to its users. If you notice mistakes in an email, it might be a scam.
- Beware of links in email. If you see a link in a suspicious email message, don't click on it. Rest your mouse (but don't click) on the link to see if the address matches the link that was typed in the message (the address will be displayed in the lower left hand corner of your browser). In the example below the link reveals the real web address, as shown in the box. The string of cryptic letters/numbers looks nothing like the company's web address (google.com).
- Threats. Have you ever received a threat that your account would be closed if you didn't respond to an email message? The email message shown above is an example of the same trick. Cybercriminals often use threats that your security has been compromised.
- Spoofing popular websites or companies. Scam artists use graphics in an email that appear to be connected to legitimate websites but actually take you to phony scam sites or legitimate-looking pop-up windows.
What should I do if I receive a Phishing email?
- Do not download any attachments accompanying the message. Attachments may contain malware such as viruses, worms or spyware.
- Never click links that appear in the message. Links embedded within phishing messages direct you to fraudulent websites.
- Do not reply to the sender. Ignore any requests the sender may solicit and do not call phone numbers provided in the message.
- If you receive a suspicious message from anybody, including friends and family members, do not follow the instructions listed in the body of the message. For Gmail, click on the drop down arrow in the top-right corner of your email message and select "Report phishing" - a separate "Report phishing" window will appear and click the "Report Phishing Message" button.
- Go to the support page for your email provider to find more information on how to report spam, phishing attacks and/or spoofed messages. Here are links to a few of the more popular email providers.
- If you are unable to figure out how to report phishing attacks delete the email.
What should I do if I have responded to a Phishing email?
- If you see that your password has been changed without your knowledge, or if you have concerns that messages are being sent using your account, go to http://selfservice.gallaudet.edu and change your password immediately! This will reset your password for all Gallaudet technology resources including email, Blackboard, Bison, wireless network access, etc.
- Delete the phishing email.
- Go to security.google.com and review your recent account activity. Review the information for any unusual activity and share any suspicious findings with the Help Desk. If you still have the suspicious email in your inbox, contact the Help Desk for instructions on how to provide GTS with message header information.
How else can I protect myself from phishers?
If you would like more information on how to avoid phishing attacks, please take a moment to read the following articles:
- Federal Trade Commission Consumer Site: https://www.ongardonline.gov/
- United States Computer Emergency Readiness Team (US-CERT): Avoiding Social Engineering and Phishing Attacks
- Microsoft: How to recognize phishing email messages, links, or phone calls
- Google: About phishing