Phishing is a form of social engineering where the attacker attempts to trick people into revealing private information by sending spoofed e-mails that appear to be from reputable companies. Phishing e-mails provide a link to a seemingly authentic page where you can login and reveal your username, password and other personal identifying information (PII). Online scammers can then use this information to access your accounts, gather additional private information about you, and make purchases or apply for credit in your name.
Identifying a Phishing E-mail
- Sender. Verify who the e-mail is coming from. If you do not recognize the sender or the ‘reply-to’ address is different, the e-mail may be a phish.
- Links. Check for suspicious looking web addresses including in the e-mail. Hover your cursor over the link before clicking to verify the source web address.
- Attachments. An unexpected e-mail from an external organization that includes an attachment is a red flag.
- Emotion. Most phishing e-mails have a strong sense of urgency or fear in attempt to get the receiver to click on a link or complete a task in favor of the sender.
- Data. Sometimes the objective of a phishing scam is to get personal data from the target. Never give away personal information such as passwords or social security numbers.
Safe Practices after Receiving a Phishing E-Mail
- Never respond with any personal information
- Do not click any links or open any attachments
- Report the e-mail to email@example.com and delete the message
- Change your account password if you feel as though your password is compromised
- Back up your data on a regular basis to limit the impact of a phishing scam
Other Phishing Scams
- Spear Phishing. Targets a specific person or group of people where e-mails are tailored to match internal communications at the target organization.
- Whaling. Targets high-profile employees in order to steal private information involving employees or financial data for malicious intent.
- Vishing. Phishing scam through phone calls or voice mails pretending to be from a reputable source in order to reveal personal information.
- Smishing. Also called “SMS phishing”, this is a social engineering attack to gather private information from a target through text messaging.
- Business Email Compromise. A targeted e-mail where the sender appears to be an executive in the organization. See more information: https://www.rit.edu/security/content/business-email-compromise-bec
- RIT PhishBowl: A grouping of phishing attempts reported at RIT
- Spear Phishing: Learn more about spear phishing from the RIT ISO
- Phishing Brochure: Field guide to identifying phishing and scams
- Educause April 2019: Social engineering tactics and prevention techniques
- DSH Phishing Poster: Detecting a phish and other social engineering attacks
- Stop. Think. Connect: Limit the impact from a successful phishing attempt
- BEC Video: PhishLine video about Business Email Compromise
RID RIT of Phishing Attempts
- REPORT the phishing attempt to firstname.lastname@example.org
- INSPECT your computer if you clicked on the link by running a virus scan. (Change your password if you provided it.)
- DELETE the phishing attempt