Phishing

Phishing is a form of social engineering where the attacker attempts to trick people into revealing private information by sending fake emails that appear to be from reputable sources.

Here are a few things to look for when trying to figure out if an email is a phishing attack:

• Sender - Verify who the email is coming from. If you do not recognize the sender, or the 'reply' address is different, the email may be a phish.
• Links - Check for suspicious looking links included in the email. Hover your cursor over the link before clicking to identify the web address.
• Attachments - An unexpected email that includes an attachment is a red flag.
• Emotion - Most phishing emails use a sense of urgency or fear in an attempt to get the victim to click on a link or complete a task in favor of the sender.
• Data - Sometimes the objective of a phishing scam is to get personal data. Never give away personal information such as passwords or social security numbers.

• Report the phishing attempt to spam@rit.edu.
• Inspect your computer if you clicked on the link by running a virus scan. Change any passwords you think may have been affected.
• Delete the phishing attempt.

• Never respond with any personal information. 
• Do not click any links or open any attachments.
• Check RIT PhishBowl for the email. If it is not already there, forward the phishing attempt to spam@rit.edu. The Information Security Office will spread awareness of this specific phishing attempt.
• Change your account password if you feel as though your password has been compromised.
• Back up your data on a regular basis to limit the impact of a phishing scam.

• Spear Phishing - Targets a specific group or person where emails are personalized to match internal communications at the target organization.
• Whaling - Targets high profile employees in order to steal private information involving employees or financial data for malicious intent.
• Vishing - Phishing scam through phone calls or voice mails pretending to be from a reputable source in order to reveal personal information.
• Smishing - Also called "SMS Phishing," this is a social engineering attack to gather information through text message.
• Business Email Compromise - A targeted email where the sender appears to be an executive in the organization.
• Calendar Phishing - Malicious links are included in calendar invitations that are directly shared with targets.

• RIT PhishBowl - A grouping of phishing attempts reported at RIT.
• Spear Phishing - Learn more about spear phishing from the RIT ISO.
• Educause 2019 - Social engineering tactics and prevention techniques.
• BEC Video - Awareness video about Business Email Compromise