Phishing is a form of social engineering where the attacker attempts to trick people into revealing private information by sending fake emails that appear to be from reputable sources.
Identifying a Phishing Email
Here are a few things to look for when trying to figure out if an email is a phishing attack:
- Sender - Verify who the email is coming from. If you do not recognize the sender, or the 'reply' address is different, the email may be a phish.
- Links - Check for suspicious looking links included in the email. Hover your cursor over the link before clicking to identify the web address.
- Attachments - An unexpected email that includes an attachment is a red flag.
- Emotion - Most phishing emails use a sense of urgency or fear in an attempt to get the victim to click on a link or complete a task in favor of the sender.
- Data - Sometimes the objective of a phishing scam is to get personal data. Never give away personal information such as passwords or social security numbers.
RID RIT of Phishing Attempts
- Report the phishing attempt to email@example.com.
- Inspect your computer if you clicked on the link by running a virus scan. Change any passwords you think may have been affected.
- Delete the phishing attempt.
What to do After Receiving a Phishing Email
- Never respond with any personal information.
- Do not click any links or open any attachments.
- Check RIT PhishBowl for the email. If it is not already there, forward the phishing attempt to firstname.lastname@example.org. The Information Security Office will spread awareness of this specific phishing attempt.
- Change your account password if you feel as though your password has been compromised.
- Back up your data on a regular basis to limit the impact of a phishing scam.
Other Phishing Scams
- Spear Phishing - Targets a specific group or person where emails are personalized to match internal communications at the target organization.
- Whaling - Targets high profile employees in order to steal private information involving employees or financial data for malicious intent.
- Vishing - Phishing scam through phone calls or voice mails pretending to be from a reputable source in order to reveal personal information.
- Smishing - Also called "SMS Phishing," this is a social engineering attack to gather information through text message.
- Business Email Compromise - A targeted email where the sender appears to be an executive in the organization.
- Calendar Phishing - Malicious links are included in calendar invitations that are directly shared with targets.
- RIT PhishBowl - A grouping of phishing attempts reported at RIT.
- Spear Phishing - Learn more about spear phishing from the RIT ISO.
- Stop. Think. Connect. - Limit the impact from a successful phishing attempt.
- Educause 2019 - Social engineering tactics and prevention techniques.
- BEC Video - PhishLine video about Business Email Compromise.