Phishing explained
Phishing scams are fraudulent messages that appear to come from legitimate sources (such as your employer, your internet service provider, your bank, social media, etc.). These messages usually direct you to a spoofed website or otherwise get you to divulge private information (for example, passphrase, credit card, or other account updates). The perpetrators then use this private information to commit identity theft, or worse.
Phishing scams are social engineering tools designed to create a sense of panic for the recipient. These scams attempt to trick recipients into responding or clicking immediately, by claiming they will lose something (for example, email, bank account. etc.). Such a claim is always indicative of a phishing scam, as responsible companies and organizations will never take these types of actions via email.
Learn how to spot a phishing message.
Learn what to do if you’ve been phished.
Learn what to do if you have given away your email/username and password.
Specific types of phishing
Phishing scams can vary widely in terms of their intended goal.
Email Phishing
Email phishing is the most common type of phishing, and it has been in use since the 1990s. Hackers send these emails to any email addresses they can obtain. The email usually informs you that there has been a compromise to your account and that you need to respond immediately by clicking on a provided link. These attacks are usually easy to spot as language in the email often contains spelling and/or grammatical errors.
Some emails are difficult to recognize as phishing attacks, especially when the language and grammar are more carefully crafted. Checking the email source and the link you are being directed to for suspicious language can give you clues as to whether the source is legitimate. Learn how to identify a phishing email message.
Spear phishing
Phishing attacks directed at specific individuals are referred to as “spear phishing”. Since these attacks are so pointed, attackers may go to great lengths to gather specific personal or institutional information in the hope of making the attack more believable and increasing the likelihood of its success.
The best defense against spear phishing is to carefully, securely discard printed information that could be used in such an attack. Further, be aware of data that may be relatively easily obtainable (for example, your title at work, your favorite places, or where you bank), and think before acting on seemingly random requests via email or phone. Be cautious about how much personal information you share on social media platforms.
Whaling
The term “whaling” is used to describe phishing attacks (usually spear phishing) directed specifically at executive officers or other high-profile targets within a business, government, or other organization.
Smishing
Smishing is an attack that uses text messaging or short message service (SMS) to execute the attack. A common smishing technique is to deliver a message to a cell phone through SMS that contains a clickable link or a return phone number.
A common example of a smishing attack is an SMS message that looks like it came from your banking institution. It tells you your account has been compromised and that you need to respond immediately. The attacker asks you to verify your bank account number, SSN, etc. Once the attacker receives the information, the attacker has control of your bank account.
Vishing
Vishing has the same purpose as other types of phishing attacks. The attackers are still after your sensitive personal or corporate information. This attack is accomplished through a phone call.
A common vishing attack includes a call from someone claiming to be a representative from Microsoft. This person informs you that they’ve detected a virus on your computer. You’re then asked to provide credit card details so the attacker can install an updated version of anti-virus software on your computer. The attacker now has your credit card information and you have likely installed malware on your computer.
The malware could contain anything from a banking Trojan to a bot (short for robot). The banking Trojan watches your online activity to steal more details from you – often your bank account information, including your password.
A bot is software designed to perform whatever tasks the hacker wants it to. It is controlled by command and control (C&C) to mine for bitcoins, send spam, or launch an attack as part of a distributed denial of service (DDoS) attack.
Search Engine Phishing
Search engine phishing, also known as SEO poisoning or SEO Trojans, is where hackers work to become the top hit on a search using a search engine. Clicking on their link displayed within the search engine directs you to the hacker’s website. From there, threat actors can steal your information when you interact with the site and/or enter sensitive data. Hacker sites can pose as any type of website, but the prime candidates are banks, money transfer, social media, and shopping sites.
Don’t take the bait – Learn how to spot a phishing message
When you receive an email message, please consider the following:
- Are there red flags?
- Does the message ask for any personal information (password, credit cards, SSN, etc)?
- Does the message ask for sensitive information about others?
- Does the message ask you to immediately open an attachment?
- Hover your mouse over the links in the email. Does the hover-text link match what’s in the text? Do the actual links look like a site with which you would normally do business?
- When hovering over the link, does it look like the link belongs to the organization sending the message? Remember, generally speaking, the organization’s official website should be the last part of the domain name, before any subdirectory “/”.
In some cases where 3rd party software is involved, the last part will be the domain of the 3rd party. - If still in doubt, go to the company’s website to see if they have any references to the information contained in the email message. In many cases, if there is a known phishing scam, companies will mention them on their websites.
- Does the “From” email address look like either someone you know, a business you work with, or a proper Goshen College email address?
- Does the From address that is displayed match the actual address that the message came from? Most email programs/services allow you to click to expand the From address to see the actual address that the message is coming from.
- Were you not expecting an email of this nature (e.g. password reset, account expiration, wire transfer, travel confirmation, package shipment, etc)?
- Is the email from an entity / person with whom you do not do business?
- Is it difficult to think of how the sender legitimately obtained your email address?
I think I’ve been phished! What should I do?
If you believe you are the recipient of a phishing email message, you can mark the message as spam. Goshen College uses KnowBe4 for cybersecurity training, which also provides a way for us to report phishing email messages. Employees will have an orange Phish Alert Button in their college email that they can use for reporting messages. For instructions on how to use the Phish Alert Button, refer to this document.
Students can use Google’s spam button for reporting messages.
I accidentally responded with my GC email/username and password. What do I do?
If you have given away your GC email/username and/or password, you will need to immediately change your GC password in MyGC. And then notify the ITS Help Desk at (574) 535-7700.