Phishing-Computing Services ISO - Carnegie Mellon University

Phishing

Phishing is a social engineering technique where a malicious person sends an email, text or instant message that looks and sounds legitimate in order to compel users into taking a specific action.Many phishing attempts are designed to lure users into providing confidential information such as a username, password, social security number, bank account number or a PIN.One of the most common methods of phishing is via email. A phishing email may ask a user to click on a link to verify their account information, open an attachment to view an e-card, document, or message, or verify their username and password by replying to the email. The following are clues of some common characteristics associated with phishing emails:
  • The email is addressed to a generic recipient.
  • The email projects urgency, prompting the user for immediate action.
  • The email contains an embedded link behind another link or text.
  • The email subject line is uninformative and doesn’t reflect the message content.
  • The email doesn't include an informative signature.
  • The email prompts you for username and password or other sensitive information.
  • A phishing message may include misspelled words, grammatical errors, or confusing information.

To avoid falling victim to a phihsing attack:

  • Use caution when opening unsolicited email messages.
  • Avoid clicking on unsolicited web links found in email messages.
  • Avoid sending or filling in forms with sensitive inforamtion before checking a website security;
    • The use of https:// protocol.
    • Secure icon (lock or key) at the right bottom of the website.
    • Pay attendtion to the domain name, the name of the website and the extension (e.g. cmu.edu).
    • Pay attention to your Passmark (e.g. the image you select when you set up an online banking account).
  • Type the address of your bank or financial firm on the address bar yourself and then book mark it.
  • Waite, Phishing websites on average do not exist for more than three days according to the Anti Phishing Working Group (APWG).
  • Avoid responding to email from invidividuals claiming to be from a legitimate organization. Call the company and verify the identity of the individual yourself.
  • Consider using anti-phishing, anti spyware software (e.g., spybot, spywareBlaster).
  • Install and update your computer anti-virus software. Computing Services provides the university community with a free Symantec Endpoint Protection anti-virus software.
  • Be aware of current phishing trends.
  • Consider securing your web browser. To secure your web browser follow the steps posted on CERT website under "Securing Your Web Browser".
If you have any questions or concerns, contact the Information Security Office at iso@andrew.cmu.edu or 412-268-2044. Please be advised that the Computing Services Help Center will not ask for your username and password in an email.