While spam filters can do a fantastic job of weeding out malicious attacks and unwanted emails, phishing emails can still get through even the best spam filters. In fact, more than 50% of internet users in general receive a phishing email every day. More importantly, 97% of internet users cannot identify a sophisticated phishing email.
This article is intended to help identify phishing emails and properly handle them.
Identifying a Phishing Attempt
Phishing is a crime in which a target or targets are contacted by email, telephone, or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.
The information is then used to access important accounts and can result in identity theft and financial loss.
There are several things to look out for in identifying whether an email is legitimate.
1) Display Names Can Lie
A fraudster can make their phishing attempt appear to be from a legitimate source. For example, you may receive an email from "MBU" or "Microsoft Office" or even someone who works on campus. However, make sure to check the actual email address from which you are receiving the email.
When a phishing attempt is made, the domain (the .com part) will not match up with who the sender purports to be. In the example below, the fraudster claims to be from MBU's Human Resources department, but their email address is obviously not connected to MBU.
Also, when someone's credentials are compromised, the fraudster can use the compromised email to send out more phishing attacks. So, you can receive a phishing email from a trusted source. If you receive something suspicious, contact the person directly via phone to see if they sent that to you.
2) Look but Don’t Click
Hover your mouse over any links you are instructed to click embedded in the body of the email. If the address looks weird, don’t click on it. The link may even look legitimate but hovering over it will reveal where the link will send you.
For example, the fraudster spoofs a link to look like it will take you to MBU's website, but by hovering over it, you can see the actual page you will be directed to is decidedly not connected to MBU. As an example, the link below appears to be for MBU's home page, but the link will instead take you to Google's home page. You can see where the link takes you by hovering your mouse over it.
3) Check for Spelling Mistakes
Anything the IT Department, or any other department on campus, sends you will be professionally done with a proper email signature at the bottom. While none of us are perfect, grammar and spelling mistakes in an email requesting information from you should immediately raise a red flag.
4) Impersonal Salutation
Legitimate emails from campus faculty and staff will have proper greetings addressed to you. Anything addressed to "Member," or "Customer," or "User," should immediately set off alarm bells.
5) Keep Passwords Secret
The IT Department will never ask for your password; we have zero desire to know what your password is. If an email is asking for your username and password, it is not from the IT Department. The only time the IT Department will inform you about passwords is if yours is expiring and needs to be updated, and we will always direct you to https://password.mobap.edu.
6) Beware Urgent Calls to Action
Invoking a sense of urgency or fear is a common phishing tactic. Beware of subject lines that claim your “account has been suspended” or your account had an “unauthorized login attempt.”
7) Don’t Click on Attachments
Sending malicious attachments that contain viruses and malware is a common phishing tactic. Malware can damage files on your computer, steal your passwords, or spy on you without your knowledge. Don’t open any email attachments you weren’t expecting. If you have doubts about what was sent to you, before opening an attachment, forward the email you received to firstname.lastname@example.org for the IT Helpdesk to review. Alternatively, call the person you received the email from in order to confirm they sent you an attachment and what the attachment is.
Deleting and Reporting a Phishing Attempt
Please refer to the article below on how to report junk messages in Outlook.
Results of Falling for a Phishing Attempt
Falling for a phishing attempt compromises your personal information, and in most phishing attempts directed at MBU, that information is your username and password credentials. With those compromised credentials, the fraudster can access MBU resources, potentially even the J: and K: drives. Furthermore, the fraudster then uses your email address to send out more phishing attempts.
Thankfully, MBU's Office365 subscription catches apparent spam activity from MBU email addresses. Microsoft will not only inform the IT Department about the issue but also suspend your account. The IT Department will reopen your account and change your password. At that point, you will need to reset your password at https://password.mobap.edu, and you will notice a message in your MBU email inbox from the IT Department explaining why your account was suspended.