Phishing is when scam artists send official-looking emails, attempting to fool you into disclosing your personal information — such as user names, passwords, banking records or account numbers, or social security numbers — by replying to the email or entering it on a phone website. Phishers can pretend to be from a legitimate bank, organization, government agency, or store, or claim to be the host of a lottery or contest.
- Identify the Sender. Do you know this person? Were you expecting e-mail from this person or does it fit in with your job role? If not, it is probably suspicious.
- Reply-to. If the Reply-to address is different from the sending address, this should raise your suspicion for the whole message
- Links and Attachments. If you were not expecting an attachment or a link, and you do not know the sender, do not open it! If you are not sure, check with the sender by phone (don’t use a phone number in the e-mail), otherwise report it.
- Grammar and Tone. Many of the malicious e-mails sent have poor grammar, punctuation and spelling. In addition, you should know how your co-workers communicate. Does this message sound like them? If not, it is probably malicious.
- Emotions. Be wary of any e-mails trying to cause certain emotions. The most commonly-used malicious emotions are:
- Greed. Messages offering or promising you money by clicking a link or giving away information are usually.malicious. If it seems too good to be true, it probably is.
- Urgency. Unusually short deadlines create a false sense of urgency to act. Attackers employ this technique inattempts to confuse the recipient.
- Curiosity. Attackers take advantage of our curiosity by promising something exciting or prohibited content.
- Fear. Threatening recipients with negative consequences is a common tactic to generate responses—things suchas threatening to shut off accounts or legal action.
This email advertises exciting new features for PENNCREST users and tries to get you to visit a link to login. It includes a PENNCREST mailing address in an attempt to appear more authentic, but if you check the District website, you’ll see that the email address shown here is not the Help Desk’s email address. Do not click the link.
The email below appears to be a receipt from the popular retailer Amazon.com. It looks official and tries to get you to click to review a purchase that you certainly didn’t make. If you mouse over any of the links though, you will see that none of them point to the official amazon.com website. Find Amazon’s phone number and call them or inquire with an official Amazon email address found on their help website. Do not click the links in the email.
- Be on the lookout for suspicious emails or text messages. Legitimate, responsible companies will never solicit personal information over email. Never reveal personal or financial information in response to an email request, no matter who appears to have sent it.
- Don’t click on links or attachments in suspicious emails or text messages. Instead, visit the mentioned website directly by using a search engine to locate the real site. If the web address listed by the search engine and the address in the email do not match, the email is most likely a phishing attempt or spam, and you should delete it.
- If you are still tempted to click, pick up the phone instead. If the message looks real and you are really tempted to respond, instead look up the phone number of the company and call them. Do not use any phone number in the email because it could be fake. Ask if the message was actually sent by the company and if you can take care of any issues over the phone instead.
All PENNCREST employees who receive suspicious e-mail should report it immediately to firstname.lastname@example.org. Even if you are not sure, it is better to have the message checked first. In addition, just because you may think it is obviously bad, you should still send it along for analysis. What might be obvious to you may not be to another individual. Remember, if you see something suspicious, report it!
1. Use links to sites with “https://” This directs your recipients to websites that can be verified by a trusted third party.
2. Offer alternatives to clicking the link. Give directions such as “Go to the Intranet, click on …”
3. Have direct contact information. Give your recipients a point of contact to verify the authenticity of the message.
4. Avoid attachments. Where possible avoid sending attachments. Try to use Google file stream or other methods of file transfer.