Phishing: Don't Get Hooked
With ever increasing amounts of phishing attempts and other digital threats, your Texas State Information Security team is hard at work, providing education, tools, and tips, to keep you safe.
What is phishing?
Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.
The information is then used to access important accounts and can result in identity theft and financial loss.
What to do if you think you've been phished
Call ITAC immediately for assistance in resetting your password and limiting any potential damage.
Report any possible phishing emails utilizing the Report Phishing button in Outlook for Windows or Office 365 or forward any phishing or suspicious emails you received in your TXST email, as an attachment, to email@example.com.
How to report phishing in Outlook for Windows and Office 365
Select ‘Junk’ from the Home ribbon
Then select Report as Phishing as shown in the screenshot.
Once you select ‘Report as Phishing’, Outlook will prompt you to finalize the report.
NOTE: If you click ‘Don’t Report’ the message will move to your Junk Email.
Select “Report” to send the email to Information Security.
To ensure you do not accidentally follow any links within the email, proceed to delete it from your Inbox and Deleted Items folders.
Steps for reporting from Office 365 are very similar to those in Outlook.
Select ‘Junk’ from menu
Next, select Phishing as shown in the screenshot.
Note: If you are a Mac user or are not seeing the menu option, please forward emails to firstname.lastname@example.org as an attachment
What should you be on the lookout for?
- Sense of urgency - A favorite tactic amongst cyber criminals is to ask you to act fast because the super deals are only for a limited time. Some of them will even tell you that you have only a few minutes to respond. When you come across these kinds of emails, it's best to just ignore them. Sometimes, they will tell you that your account will be suspended unless you update your personal details immediately. Most reliable organizations give ample time before they terminate an account and they never ask patrons to update personal details over the Internet. When in doubt, visit the source directly rather than clicking a link in an email. In addition, many phishing emails will try to scare users into taking some action to prevent their account from being closed or some other severe consequence.
- Too good to be true - Lucrative offers and eye-catching or attention-grabbing statements are designed to attract people’s attention immediately. For instance, many claim that you have won an iPhone, a lottery, or some other lavish prize. Just don't click on any suspicious emails. Remember that if it seems to good to be true, it probably is!
- Hyperlinks - A link may not be all it appears to be. Hovering over a link shows you the actual URL where you will be directed upon clicking on it. It could be completely different or it could be a popular website with a misspelling, for instance www.bankofarnerica.com - the 'm' is actually an 'r' and an 'n', so look carefully.
- Attachments - If you see an attachment in an email you weren't expecting or that doesn't make sense, don't open it! They often contain payloads like ransomware or other viruses.
- Unusual sender - Whether it looks like it's from someone you don't know or someone you do know, if anything seems out of the ordinary, unexpected, out of character or just suspicious in general don't click on it!
What information are they after?
Phishers and other cyber criminals are commonly trying to get the following information:
- PIN numbers
- Credit card numbers
- CCV codes (the 3-5 digits on the back of the credit cards)
- ATM/debit or credit card information
- Social security numbers
- Banking information (account number, routing number).
Helpful tips to avoid getting hooked
- No reputable organization will ever ask you for confidential information via e-mail.
- Never respond to an e-mail from a source you are not 100 percent sure of. When in doubt, call them.
- Never be afraid to call the company. If they want your information, they should be able to take it over the phone.
- Even if you do call a company, it doesn’t hurt to ask why they need to collect certain information.
- Always check the authenticity of a Web site before you provide any of your personal information.
- Never click on a link in a suspicious e-mail because it may take you to a malicious site. Open a new browser window and navigate to the page yourself.
- Phishing e-mail will often have a sense of urgency. ("Your account will be closed if you don't..." etc.) They may also contain strange words, misspelled words or unusual or awkward phrasing to help them avoid SPAM-filtering software.They may also contain strange words, misspelled words or unusual or awkward phrasing to help them avoid SPAM-filtering software.
- Don’t take good grammar as a sure sign of authenticity. Phishers are getting smarter, and oftentimes copy legitimate messages. Be sure to look for other suspicious markers.
- Chase (Fraud Information)
- Citizens Bank (Important Information about Online Security)
- Bank of America (Reporting and Resolving Fraud)
- US Bank (How To Spot Fraud)
- Wells Fargo (How to Protect Yourself)
- Western Union (Fraud Awareness)
- Amazon (Identifying Phishing or Spoofed E-mails)
- Ebay (Privacy Information)
- Paypal (What are common scams and how do I spot them?)
- Your employer
- Help desk personnel
- IT organization
- Vishing (Phishing via Phone)