How to recognize and protect against malicious email attacks
Important: make sure to keep your network/ e-mail password to yourself. LBCC policy 6006.4 specifically prohibits the sharing of account information. No one, not even IITS, should ask for it. If anyone asks for your password, please report it to firstname.lastname@example.org so IITS can reiterate this policy.
Phishing attempts come in many forms and are often disguised as legitimate e-mail from IT departments asking for account information. Many of these attempts have links that forward users to a website in an effort to collect personal or confidential information.
If you believe that you have fallen victim to a phishing attempt and have inadvertently provided your password, then immediately reset your password, call the LBCC HelpDesk and forward them a copy of the email. The sooner you change your password and inform IITS, the more likely you are to prevent further disruption to the institution.
When people provide account information to these scams, it negatively affects school business. LBCC is often unable to send email to anyone outside the institution, including students, and IITS is forced to spend time outside of normal work hours, including weekends and holidays, repairing the damage.
Social Engineering & Phishing
In technology, the term social engineering is used to describe the use of deception to lure people into revealing personal and/ or confidential information with the intent of using that information for fraudulent purposes. Social engineering spans various modes of communication and is often used to target specific groups.
Phishing is a form of social engineering that uses email and often includes more focused schemes such as spear-phishing(appears to be from someone you know), and whaling (high-value targets such as executives). Other forms include vishing (over the phone), and smishing (via phone texts).
Check out a cheat sheet of Social Engineering Red Flags made available to the public by the security awareness vendor KnowBe4, Inc.
Indicators of a Phishing Attempt
Typical email phishing attempts can include the following elements
- POOR SPELLING & GRAMMAR. While legitimate organizations typically have copy editors to prevent low-quality emails from being sent, cybercriminals are known for poor spelling and bad grammar.
- THREATS. Many phishing attempts come in the form of threats such as account suspension, or notifications that your security has been compromised.
- STRANGE LINKS IN EMAIL. If you are unsure of the origin of an email, and it contains links, do not click on them. Instead, hover your mouse over the link to display the real address. If it looks suspicious, do not click on it.
- POPULAR WEBSITE SPOOFING. Some phishing attempts appear legitimate because they employ the look and feel of commonly known applications or services.
Examples of Phishing Attempts
Phishing attempts can come in many different forms and are sometimes hard to identify. If the email looks questionable, and you do not recognize the link’s destination or the URL of the website in question, do not click on, use, or reply to it. Please forward the email to the LBCC Help Desk, and IITS will look into it.
For more information regarding these types of attempts, check out Cisco Systems security resources on phishing attacks.
A phone scam, sometimes referred to as phone phishing or vishing, employs similar concepts to email phishing in order to gain personal information, access to accounts, and collect money.
Always be cautious of high-pressure tactics. The worst of scams typically demand some form of monetary compensation within a 24-hour period, which is followed by a threat of police arrest, or other frightening outcomes. Do not fall for this tactic. Whenever you are concerned or unsure about an unsolicited phone call, it is always best to end the call and call the agency or business directly.
Learn more about recognizing, mitigating, and reporting phone scams from the following resources.
- The Internal Revenue Service’s advice on handling tax scams.
- Federal Trade Commission’s consumer information on phone scams.
- Microsoft’s advice on how to avoid technical support phone scams.
If you believe you have been the subject of a potential phone scam, you can file an FTC Complaint with the Federal Trade Commission.
The Federal Trade Commission also provides 10 excellent tips on avoiding fraud that is applicable to scams via email, phone calls, or face-to-face interactions.