PhishingPhishing is a social engineering technique where a malicious person sends an email, text or instant message that looks and sounds legitimate in order to compel users into taking a specific action. Many phishing attempts are designed to lure users into providing confidential information such as a username, password, social security number, bank account number or a PIN. One of the most common methods of phishing is via email. A phishing email may ask a user to click on a link to verify their account information, open an attachment to view an e-card, document, or message, or verify their username and password by replying to the email. The following are clues of some common characteristics associated with phishing emails:
- The email is addressed to a generic recipient.
- The email projects urgency, prompting the user for immediate action.
- The email contains an embedded link behind another link or text.
- The email subject line is uninformative and doesn’t reflect the message content.
- The email doesn't include an informative signature.
- The email prompts you for username and password or other sensitive information.
- A phishing message may include misspelled words, grammatical errors, or confusing information.
To avoid falling victim to a phishing attack:
- Use caution when opening unsolicited email messages.
- Avoid clicking on unsolicited web links found in email messages.
- Avoid sending or filling in forms with sensitive information before checking a website security;
- The use of https:// protocol.
- Secure icon (lock or key) at the right bottom of the website.
- Pay attention to the domain name, the name of the website and the extension (e.g. cmu.edu).
- Pay attention to your Passmark (e.g. the image you select when you set up an online banking account).
- Type the address of your bank or financial firm on the address bar yourself and then book mark it.
- Wait. Phishing websites on average do not exist for more than three days according to the Anti Phishing Working Group (APWG).
- Avoid responding to email from individuals claiming to be from a legitimate organization. Call the company and verify the identity of the individual yourself.
- Consider using anti-phishing, anti spyware software (e.g., spybot, spywareBlaster).
- Install and update your computer anti-virus software. Free options are available to all students, faculty and staff.
- Be aware of current phishing trends.
- Consider securing your web browser. To secure your web browser follow the steps posted on CERT website under "Securing Your Web Browser".
- You can practice spotting phishing with Anti-Phishing Phil and Anti-Phishing Phyllis
Need to report a concern?