Phishing is a form of social engineering where the attacker attempts to trick people into revealing private information by sending spoofed e-mails that appear to be from reputable companies. Phishing e-mails provide a link to a seemingly authentic page where you can login and reveal your username, password and other personal identifying information (PII)." Online scammers can then use this information to access your accounts, gather additional private information about you, and make purchases or apply for credit in your name.
General protection against phishing scams
- NEVER RESPOND TO A REQUEST FOR YOUR PASSWORD sent by e-mail, even if the request appears legitimate. RIT will NEVER ask for your password through e-mail.
- Do not provide identity information, including credit card numbers, when you receive an unsolicited e-mail or phone call.
- Do not open attachments in unexpected or suspicious e-mails or instant messages.
- Do not click anywhere on the e-mail—even in what may appear to be white space.
- Delete the e-mail or instant message.
- If the e-mail or instant message provides a link to a site where you are requested to enter personal information, it may be a phish. The real link may also be masked. Move your mouse over the link and it may show a different address than the one displayed in the e-mail.
- Be selective in what sites you provide with your RIT e-mail address.
- Use a limited or non-administrator account when opening e-mail and browsing the Internet. A limited account will help protect you against many malware attacks. Finance and Administration (and some RIT colleges) already protect their users by giving them limited accounts.
- Enable site checking on your browser.
- Add an anti-phishing toolbar to your browser. Anti-phishing toolbars help detect and may block known phishing sites. ITS is providing McAfee anti-phishing tools to ePO-managed users.
Report a Phish
Report a phish by emailing firstname.lastname@example.org. You can forward phishing attempts to this email.
Resources to Help Identify and Avoid Falling for a Phish
Spear phishing targets a specific person or group of people (usually within a specific organization or government agency). Spear phishing e-mails are tailored to match internal communications at the target organization and may even include personal details.
Phishing in Instant Messaging
Although most phishing occurs through e-mails, fraudsters have begun using instant messaging to pose as government officials and trick people into revealing identity information.
Current Phishing Scams
Millersmiles.co.uk is an Internet community that archives phishing scams. Visit them to check if a particular e-mail or website has been reported by others, or report it yourself.
Internet Explorer 7.x and higher, Safari 3.2 and higher, and Mozilla Firefox 3.x and higher all provide some protection against phishing. E-mail clients such as Microsoft Outlook 2007 and Mozilla Thunderbird 2 also include anti-phishing features, such as disabling suspicious links and blocking pictures and attachments. As of August 1, 2009, all RIT-owned and leased computers must have some form of anti-phishing controls in place.
We recommend the following browser tools to help you identify suspicious websites:
- The Netcraft Toolbar is a browser plug-in available for Firefox on Windows, Mac, and Linux. The toolbar helps stop phishing attempts by blocking known phishing sites and providing hosting information about the sites you visit.
- The McAfee Site Advisor is a browser plug-in available for Internet Explorer and Firefox. Site Advisor warns you of websites known to have malicious downloads or links by checking them against a database at McAfee.
Note: You should not install this version of McAfee Site Advisor on any RIT-owned computer currently running McAfee ePO. More information can be found here.