Phishing

78% of individuals fall victim to at least one phishing attempt in their lifetime.


What is phishing?

Phishing is described by the SANS institute as a "psychological", message-based attack geared towards tricking users into providing personal or confidential information (direct), or performing an action that indirectly compromises confidential information. The internet and its connected devices are constantly changing and multiplying. As such, cybercriminals have become crafty in luring users into clicking on an infected attachment, a link, or directly giving up their personal information. Emails and other types of instant messages can be generated to look like legitimate messages coming from a trusted source, including your bank, a friend or a family member. Scammers will use fake links to surveys that ask for personal information at the end to award you a prize, or receive your results. Fake Facebook profiles can also be made to emulate a real business (like Netflix, Spotify, etc.) and offer coupons or special rates if you “sign up now” using your bank and personal information. There are even fake log-in sites that steal personal information by tricking users into entering their login credentials. But how do you combat the constantly growing onslaught of phishing attacks?

Infosec shield

Examples of Phishing

Email is the most common method used to phish unwary users of their information. The easiest way to tell a legitimate email from a phish is by looking for these tell-tale signs:

Phishing_example

  1. Check the sender's address: Professional or business emails will rarely be sent from an email account on a public domain (AOL, Yahoo, Comcast, etc). If the email appears to be from a friend, a "spoofer" may be copying their address to feign credibility.
  2. Promised rewards: Phishing attempts will frequently promise a reward or benefit of some kind to encourage users to provide sensitive information.
  3. Personal information: Here, the sender explicitly states the information he or she is trying to steal. Other types of data scraping may request the user for their bank information, SSN, or a specific username and password.
  4. Sense of urgency: Phishers will try to rush users by giving them a strict timeline or threatening negative consequences if the user fails to provide their information.
  5. Isolation: Some phishing attempts will try to isolate users and demand secrecy to avoid detection. More blatant attempts will actually request that the email be forwarded to other users in an attempt to hook more victims.
  6. Stange links or attachments: One should always be wary of links embedded in emails. This example is requesting the user send his information to an entirely different email address. Others may provide a link to a fake login page, or to an
    attachment that contains a virus or malware.

Types of Phishing

  • Spear phishing
    Spear Phishing occurs when cybercriminals launch an attack on a business to get customers' information, and is generally directed at specific group of people or companies. For example, a criminal will assume the business' identity to launch an attack against the customers, making the e-mails look authentic, thus increasing the attacker's probability of success.
  • Clone phishing
    This happens when a legitimate, and previously delivered, email containing an attachment or link has its content and recipient address(es) stolen and used to create an almost identical or cloned email. The attachment or link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender.
  • Whaling
    These type of phishing attacks are directed specifically at senior executives and other high profile targets within businesses. The email takes a more executive type of form such as a legal subpoena, customer complaint, or executive issue, with the main goal of infiltrating a company from the top down.

 Avoid Being a Victim

  • Be aware of suspicious messages. Check carefully for telltale signs of phishing and always remain skeptical of anything found online.
  • Keep your computer's operating system and anti-virus software up to date.
  • Forward any suspicious emails found in your inbox to phishing@stockton.edu.
  • Stockton employees: use Outlook to block spammers and phishers.
    • In Outlook 2013 (client version), right click on the suspicious e-mail, select Junk and click on "Block Sender."
    • In Outlook Web App (web version), right click on the e-mail and click on "Mark as Junk."
  • Stockton students: learn how to block unwanted messages in Gmail.
  • Visit www.onguardonline.gov to learn more about ways to prevent phishing.