17勛圖

Information Technology

Phishing and Other Scams

Phishing

Phishing is the process of sending fake emails, usually appearing to be from someone you know and trust (a 17勛圖 department, a Bank, Credit Card company, etc.) attempting to deceive you into providing your sensitive information. The goal is to get you to click on the links they provide and/or open an attachment and follow the instructions inside.

Once you give up your username/passwords, or any personal information, it can then be used to breach your employer's systems, steal your money, or steal your identity.

Common Phishing Scams:

  • A scammer, posing as a known person, requests assistance in a task such as purchasing gifts cards or providing your mobile phone number.
  • Account Verification scams (impersonating a company/organization to threaten loss of access to your account)
  • Fake order confirmations

Watch for:

  • A sense of urgency
  • An offer that is too good to be true
  • The email addresses you with a general greeting and not specifically your name.
  • Links redirecting you to form to fill out with your login information such as passwords and MFA codes.

Tips to Prevent Phishing:

  • Do not follow links, instead go directly to the company/organization website on your own to log in.
  • Don't provide personal details in response to an unsolicited request.
  • Check email addresses.  Does the email address match the displayed name of the person/organization sending the message? (E.g.: Lamar Financial Aid or IT Help Desk sent from a @yahoo or @gmail.com address)
phishing.jpg; keyboard with blue phishing button

Phishing Email Breakdown:

 Phishing email breakdown with indicators (red flags)

 

  1. Redacted email of a compromised .edu account - this was a compromised student account that had been used to send out phishing emails.  .Edu accounts are given a high degree of trust which is why they are frequent targets of phishers. In this instance, this email sent from a Lamar address will not be marked as 'External' which could convince the recipient that it might be real.
  2. Sent outside of normal business hours - This message supposedly alerting users to an important account issue taking place was sent out at 10:59PM on a Tuesday.
  3. False claim that student's possessing multiple O365 accounts from different schools is a problem - Students enrolling to different colleges is a common occurrence.  Student typically receive accounts at each school.
  4. Urgency stressed to take action - Giving you a strict 24 hour window to prevent your account from being terminated is easy red flag to spot.
  5. Suspicious URL included in body of message - They mention the URL will redirect you to a form to fill out information including your email password which should never be shared with anyone.  
  6. No email signature - Other than the name displayed from the sender, there is no verfiable signature.  Signature may be absent or may contain inaccurate information that cannot be independantly verified from a website.  (E.g. Cannot verify an incorrect phone number for the Service Desk which would match the number published on Lamar's website.)

 

Hidden for formatting

Smishing

Smishing is a type of attack performed over text (SMS) message, hence the name combination of "SMS" and "Phishing".  The goal like phishing is to trick receivers of a message into divulging sensitive information. Your provided information can then be used to launch attacks against others or gain access financial information.

Common Smishing Scams:

  • Account Verification
  • Shipping Delays
  • Account or Service Cancellation
  • Bank Fraud

Each of these cases involve a sense of urgency to entice the recipient to click on included links that can send them to a fraudulent website or download malware to their device. 

Watch for:

  • Threats of prosecution
  • Urgency for a response
  • Promises of something too good to be true.
  • Odd grammar and word usage.
  • Banks, Creditors, or Institution Help Desks that request account login information
  • Receiving unsolicited Duo pushes or SMS codes 

Tips to Prevent Smishing:

  • Never rush to click on a link.
  • Never share personal information
  • Activate multi-factor authentication (MFA) on all accounts with your banks, creditors, and social media.
  • Contact the organization directly if you are unsure of the message authenticity.
Smishing example, image of phone screen showing text message that account is on hold due to billing issue

Hidden for formatting

Quishing

Quishing, or QR phishing, is the act of using fraudulent QR codes to redirect unsuspecting users to malicious websites or to install viruses or other malware on their mobile device to collect sensitive information.

Common Quishing Scams:

  • Scam to access an encrypted voice message
  • Chance to win scams.

Watch for:

  • Incorrect URLs.
  • Odd QR code placement.
  • QR codes not placed in official locations for the represented company.

Tips to Prevent Quishing:

  • Preview the destination URL after scanning a QR code.
  • Avoid scanning public QR codes you didn't expect to use, especially in high-traffic areas
  • Exercise caution when entering personal or financial details after scanning a QR code.
QR Code Example, phone pointed at a paper QR code sitting on a desk

Hidden for formatting

Vishing

Vishing, short for "voice phishing", is a type of attack focusing on phone calls to deceive individuals ranging from providing sensitive information to paying fake debts.

Common Vishing Scams:

  • Missed Jury Service Warrant
  • IRS Unpaid Taxes
  • Unusual Bank Account activity
  • Social Security Verification
  • Unpaid Bill Scams

Watch for:

  • Unknown numbers, especially those from a foreign country.
  • A sense of urgency in the message.
  • Questions escalate from confirming an address to a social security number.
  • Does the accusation make sense?

Tips to Prevent Vishing:

  • Don't answer phone calls for unknown numbers.
  • Call a company directly to confirm issues. Do not trust the caller's word.
  • Register your phone number with the National Do Not Call Registry.
  • Use call blocking.
  • Take your time.  Attackers tend to use speed to pressure a quick response.
Vishing example, phone screen with an unknown incoming call

Additional Tips to Avoid These Scams


  • No reputable organization will ever ask you for confidential information via email or text message. 
  • Never respond to an email from a source you are not 100 percent sure of; when in doubt, call them. 
  • Never be afraid to call the company. If they want your information, they should be able to take it over the phone. Even if you do call a company, it doesn’t hurt to ask why they need to collect certain information.
  • Always check the authenticity of a website before you provide any of your personal information. 
  • Never click on a link in a suspicious email because it may take you to a malicious site. Open a new browser using a private window and navigate to the page yourself. 
  • Phishing emails may contain strange words, misspelled words or unusual or awkward phrasing on purpose to help them avoid SPAM-filtering software. 
  • Don’t take good grammar as a sure sign of authenticity. 
  • Phishers are getting smarter, and often copy legitimate messages including real company logos. Be sure to look for other suspicious markers.