Phishing

Overview

Phishing is a form of social engineering where the attacker attempts to trick people into revealing private information by sending fake emails that appear to be from reputable sources.

Identifying a Phishing Email

Here are a few things to look for when trying to figure out if an email is a phishing attack:

  • Sender - Verify who the email is coming from. If you do not recognize the sender, or the 'reply' address is different, the email may be a phish.
  • Links - Check for suspicious looking links included in the email. Hover your cursor over the link before clicking to identify the web address.
  • Attachments - An unexpected email that includes an attachment is a red flag.
  • Emotion - Most phishing emails use a sense of urgency or fear in an attempt to get the victim to click on a link or complete a task in favor of the sender.
  • Data - Sometimes the objective of a phishing scam is to get personal data. Never give away personal information such as passwords or social security numbers.

RID RIT of Phishing Attempts

  • Report the phishing attempt to spam@rit.edu.
  • Inspect your computer if you clicked on the link by running a virus scan. Change any passwords you think may have been affected.
  • Delete the phishing attempt.

What to do After Receiving a Phishing Email

  • Never respond with any personal information. 
  • Do not click any links or open any attachments.
  • Check RIT PhishBowl for the email. If it is not already there, forward the phishing attempt to spam@rit.edu. The Information Security Office will spread awareness of this specific phishing attempt.
  • Change your account password if you feel as though your password has been compromised.
  • Back up your data on a regular basis to limit the impact of a phishing scam.

Other Phishing Scams

  • Spear Phishing - Targets a specific group or person where emails are personalized to match internal communications at the target organization.
  • Whaling - Targets high profile employees in order to steal private information involving employees or financial data for malicious intent.
  • Vishing - Phishing scam through phone calls or voice mails pretending to be from a reputable source in order to reveal personal information.
  • Smishing - Also called "SMS Phishing," this is a social engineering attack to gather information through text message.
  • Business Email Compromise - A targeted email where the sender appears to be an executive in the organization.
  • Calendar Phishing - Malicious links are included in calendar invitations that are directly shared with targets.

Additional Resources