Carnegie Mellon University

Phishing

Phishing is a social engineering technique where a malicious person sends an email, text or instant message that looks and sounds legitimate in order to compel users into taking a specific action. Many phishing attempts are designed to lure users into providing confidential information such as a username, password, social security number, bank account number or a PIN. One of the most common methods of phishing is via email. A phishing email may ask a user to click on a link to verify their account information, open an attachment to view an e-card, document, or message, or verify their username and password by replying to the email. The following are clues of some common characteristics associated with phishing emails:
  • The email is addressed to a generic recipient.
  • The email projects urgency, prompting the user for immediate action.
  • The email contains an embedded link behind another link or text.
  • The email subject line is uninformative and doesn’t reflect the message content.
  • The email doesn't include an informative signature.
  • The email prompts you for username and password or other sensitive information.
  • A phishing message may include misspelled words, grammatical errors, or confusing information.

To avoid falling victim to a phishing attack:

  • Use caution when opening unsolicited email messages.
  • Avoid clicking on unsolicited web links found in email messages.
  • Avoid sending or filling in forms with sensitive information before checking a website security;
    • The use of https:// protocol.
    • Secure icon (lock or key) at the right bottom of the website.
    • Pay attention to the domain name, the name of the website and the extension (e.g. cmu.edu).
    • Pay attention to your Passmark (e.g. the image you select when you set up an online banking account).
  • Type the address of your bank or financial firm on the address bar yourself and then book mark it.
  • Wait. Phishing websites on average do not exist for more than three days according to the Anti Phishing Working Group (APWG).
  • Avoid responding to email from individuals claiming to be from a legitimate organization. Call the company and verify the identity of the individual yourself.
  • Consider using anti-phishing, anti spyware software (e.g., spybot, spywareBlaster).
  • Install and update your computer anti-virus software. Free options are available to all students, faculty and staff.
  • Be aware of current phishing trends.
  • Consider securing your web browser. To secure your web browser follow the steps posted on CERT website under "Securing Your Web Browser".
  • You can practice spotting phishing with Anti-Phishing Phil and Anti-Phishing Phyllis
If you have any questions or concerns, contact the Information Security Office at iso@andrew.cmu.edu or 412-268-2044. Please be advised that the Computing Services Help Center will not ask for your username and password in an email.