Avoid phishing scams
Phishing is a cybercriminal's attempt to trick internet users into revealing their personal information online. Phishers will try to get you to reveal your credit card and bank account numbers, usernames and passwords, or even your Social Security number.
Phishing often takes the form of an email asking you to provide or verify information. It may ask you to reply with the requested information, or it may link to a fake website that resembles a reputable one. Providing personal information in a reply email or through a fake website could put your accounts at risk for fraudulent activity or could make you a victim of identity theft.
Spear phishing attacks are email scams tailored for a group of people with something in common. In UD's case, criminals send emails with UD-specific terminology, logos, names, and information to trick users into believing they are legitimate University emails. Scammers do such a good job making emails look individualized or tailored to you that your spam filter may miss it—leading you to click a malicious link or surrender sensitive information.
Be vigilant. If you receive email that looks suspicious or seems too good to be true, don't click any links contained in the message, and don't open any files attached to it.
If you encounter a phishing attempt or any other IT security threat (e.g., breaches, thefts, spam), report it immediately. Additionally, report spear phishing attempts to the IT Support Center using the Report a Phishing Scam page.
Check the Secure UD Threat Alerts blog for current information about phishing attacks and other security issues impacting the campus community.
Follow these guidelines to avoid phishing scams.
Identifying phishing scams
Phishing scams can take a variety of forms. Some might claim to come from IT and ask you to "validate" your account. Others might appear to come from a company you know and direct you to a fake site.
Follow these guidelines to identify phishing scams:
- Check the sender. If the from address is obviously not related to the entity from whom the email claims to come, then it's a phish. (For example, the University will not send you email from a personal Yahoo.com account.)
- Check that the subject and content match; if they're unrelated, you might be reading a phishing email. (For example, if the subject is about your email account but the content is about your bank account, the message is not legitimate.)
- Check the salutation. Legitimate business and commercial emails will typically include your name. Many common phishing scams are simple, almost stock messages that get copied, pasted, and sent to as many people as possible, so they will just read "Dear webmail user" or "Dear customer."
- Check for suspicious links. Hover over any links in the email and ensure that their actual destination is a legitimate website. Be wary of misspellings in the link destination, unrelated sites, and URL shorteners.
- Be wary of any sense of urgency. Phishers commonly use immediate deadlines or the threat of action to scare victims into doing something without thinking about it. (For example, a common phishing email demands that you verify your account immediately or it will be disabled.)
- Be wary of any request for personal information. Official and legitimate emails will not ask you to provide information such as your password or bank account number in email.
- Check for spelling and grammar issues. While most official and legitimate emails will not contain spelling or grammar errors (mistakes do happen sometimes), numerous errors, awkward wording, or non-fluent English are signs that you may have received a phishing scam.
In addition to the telltale signs of common phishing scams, there are ways to identify spear phishing scams:
- Check for the misuse of logos, names, and other proprietary or official information. Phishers may steal this information for use in their emails, but that doesn't mean they know how to use it. Watch out for old or incorrect logos or misused names and titles.
- Check to make sure that departments and names in the email, particularly in the byline or the signature, are real. Many phishers use common, technical-sounding names like "IT Help Desk" or "Webmail Administrator" when writing emails, but a brief search of the University directory will reveal that these entities don't even exist here.
- Reduce spam.
- Do not open emails from people or organizations you don't know. Instead, delete them immediately.
- Do not click links in emails (even an unsubscribe link). Instead, do a search or type the published URL of the site you're trying to reach in a new browser window or tab. You can also hover your mouse over the link to see where it will actually go.
- Do not provide bank account or credit card numbers, usernames and passwords, or other personal information in an email.
- Do not trust everything you supposedly get from friends; hackers may have stolen your friends' address books or contacts.
- Do not respond to phishing email asking to be removed from a mailing list. This will confirm your email address to the phisher and guarantee that you continue to be targeted by phishing attacks and other scams.
- Verify the content of an email by contacting the alleged sender through another communication channel, such as a new email or a telephone call.
- Check the Secure UD Threat Alerts blog to see whether you received the same phishing email as other members of the campus community.
- Report phishing scams for inclusion on the Secure UD Threat Alerts blog.
- Forward phishing emails to email@example.com and/or firstname.lastname@example.org and the company or organization being impersonated in the phishing message.
- Install and run anti-virus software.
- Keep your browser up to date. Most browsers will warn you before visiting a fake site, but you must update your browser regularly for this feature to be effective.
- Be wary of shortened URLs, which most commonly start with http://bit.ly, http://goog.le, or http://tinyurl.com. These URLs hide the original link, so it's hard to determine if they go to real or fake sites. With reputable senders like the UD Office of Communications and Public Affairs, shortened URLs are likely not problematic. For other senters that are not (or may not be) reputable, it probably is safer to open a new window or tab, go to the URL of the site you're trying to access, and search for the information.
- Verify that links actually go where they claim to go. Hover your mouse over the link to reveal the true destination. Avoid any links that take you to suspicious addresses, especially addresses that appear to be close fakes of real sites (such as "udel.edu.com" or "microsoff.com").
Avoiding Social Engineering and Phishing Attacks (US-CERT)
Explains what phishing is and offers tips for avoiding becoming a victim.
Phishing (OnGuard Online)
Explains briefly how to deal with phishing scams, including how to avoid them and how to report them.
Phishing scams (About.com)
Provides examples of common phishing scams and how to spot them.