Phishing

How to Recognize Phishing Attempts

Phishing attempts come in many forms, and are often disguised as legitimate e-mails from IT departments asking for account information. Many of these attempts have links that forward users to a web site in an effort to collect personal or confidential information.

If you believe that you have fallen victim to a phishing attempt and have inadvertently provided your password, immediately reset your password, call the IT HelpDesk at x4357, and forward a copy of the email as an attachment to helpdesk@lbcc.edu. The sooner you change your password and inform IITS, the more likely you are to prevent further disruption to the institution.

When people provide account information to cyber criminals, it negatively affects school business. LBCC is often unable to send email to anyone outside the institution, including students, and IITS is forced to spend time outside of normal work hours, including weekends and holidays, repairing the damage.

Social Engineering and Phishing

In technology, the term social engineering is used to describe the use of deception to lure people into revealing personal and/ or confidential information with the intent of using that information for fraudulent purposes. Social engineering spans various modes of communication and is often used to target specific groups.

Phishing is a form of social engineering that uses email, and often includes more focused schemes such as spear-phishing (appears to be from someone you know), and whaling (high value targets such as executives). Other forms include vishing (over the phone) and smishing (via phone texts).

Indicators of a Phishing Attempt

Most phishing attempts include more than one of the following.

• Never Supply Log-In Credentials

  Never supply your log-in credentials (user ID and password) or personally identifiable information in response to any email.

• Suspicious Sender Address

  The From address typically contains an email address you do not recognize or is something similar to a real organization but looks odd enough to warrant suspicion.

• Suspicious Links

  Before clicking on anything, hover your mouse over each link to display the real hyperlink. If it is unrecognizable or looks suspicious, do not click on it.

• Attachments

  Emails may ask you to open attachments that, in turn, contain buttons or links to perform the action specified in the email (access a document, change your password, etc.).

  Do not open anything you are uncertain of, especially when it’s a type of document you do not recognize.

• Threats

  Many phishing attempts use threats or create a sense of urgency. For instance, it may stipulate that your account will be terminated, suspended, expire, etc., so you need to reset your password or verify your account information. Do not respond to threats or pressure tactics.

• Poor Spelling and Bad Grammar

  While legitimate organizations typically have copy editors to prevent low quality emails, cyber-criminals are known for poor spelling and bad grammar.

• Website Spoofing

  Some phishing attempts include the look and feel of commonly known vendors and services (PayPal, Office 365, etc.) but there are usually significant visual differences. When in doubt, go directly to the real website instead of using the link.

Examples of Phishing Attempts

The examples provided below are from actual phishing attempts. Please note the destination of links or URLs circled in red, as they indicate a counterfeit site.

1. The following message looks similar to the one used by Outlook when a mailbox is almost full. It uses the terms “staff” and “faculty” and assures you that it is safe and has been scanned for viruses.

   

2. This one used the LBCC logo.

   

3. This website used an older version of the Outlook Web App login screen to lure people into providing account information.

   

Remember, if the email looks questionable or you do not recognize the link’s destination or URL of the website in question, do not click on, use, or reply to it. Please forward the email to helpdesk@lbcc.edu, and IITS will look into it.

Videos on Phishing

What is Phishing And How Can I Protect Myself? (2:28)

Video courtesy of AARP.

Additional Videos

• Higher Education Information Security Council (HEISC): Information Security Awareness Video: “Phishing:E-Safe” (1:02)
• Federal Communications Commission (FCC): Spoofing, Scamming, and Crackdown on Unwanted Calls (0:58)
• Federal Trade Commission (FTC): Hang Up and Report Phone Fraud (3:07)

Online Phishing Quizzes

Test your newly acquired skills by taking one or more of the following:

• Cisco OneDNS’s Phishing Quiz.
• Phishing Quiz with Google.
• SonicWall’s Phishing IQ Quiz.

Additional Resources

• Infographic: Phishing, Don’t Take the Bait.
• Cheat Sheet: Social Engineering Red Flags
• How to Recognize and Avoid Phishing Scams

Common Types of Scams

Phishing is used to facilitate a variety of scams. Click on one of the following links to learn more about a specific scam.

• Gift Card Scams
• Phone Scams
• Sextorion
• Tax Scams
• Tech Scams
• Additional Scams