We are halfway through Cybersecurity Awareness month! So far, we’ve covered passwords and MFA; two important tools to keep your accounts safe from attackers. This week, we’re turning our focus to the attackers themselves and talking about those dreaded phishing emails. Phishing is when attackers use fake emails, social media posts, or direct messages (such as texts) with the goal of luring you in to click on a bad link, download a malicious attachment, or take you to a fake login page in hopes of getting your username and password. Phishing is one of the top threats faced by organizations of every size around the globe!
We’ve all seen them, most of us have responded to them at least once, and they’re not going to slow down any time soon, so it’s good to know what to look for. Once you recognize a phishing attempt, you can avoid falling for it by taking just a few seconds to review your emails before clicking on any links or downloading any attachments. Here are some tips from the National Cybersecurity Alliance on how to spot a phish:
- Does it contain an offer that’s too good to be true?
- Does it include language that’s urgent, alarming, or threatening?
- Is it poorly crafted writing riddled with misspellings and bad grammar?
- Is the greeting ambiguous or very generic?
- Does it include requests to send personal information?
- Does it stress an urgency to click on an unfamiliar hyperlinks or attachment?
- Is it a strange or abrupt business request?
- Does the sender’s e-mail address match the company it’s coming from? Look for little misspellings like pavpal.com or anazon.com.
- Does the user ask you to respond in a different way, like using your home email or a phone call?
By taking some time to ask yourself the questions above, and do some investigation before clicking links or attachments, you can avoid falling victim to phishing.
What do I do if I suspect a phish, or if I clicked one, you might ask. That’s where the VSC Cybersecurity Team comes in. After you’ve identified a potential phish, or suspect that something you clicked on or replied to was a phish, you should forward the entire email thread, attachments and all, to cybersecurity@vsc.edu. We can use tools that we have at our disposal to verify the legitimacy of links and attachments and if necessary, block the original sender of the email, so their phishing expedition comes to an abrupt halt. Even if you’re expecting an attachment and you’ve done some preliminary sleuthing and suspect something is phishy, you can send it to us and we can confirm your investigation for you! It’s better to be safe than lose your data and we can help you recover if it is a real phish.
If you suspect phishing emails have hit your personal inbox, some platforms let you report phishing attempts directly to the platform provider. Here are some resources from the National Cybersecurity Alliance on reporting phishing to a few popular email platforms:
Report a phish on Outlook: https://support.microsoft.com/en-us/office/phishing-and-suspicious-behaviour-0d882ea5-eedc-4bed-aebc-079ffa1105a3
Report a phish on Gmail: https://support.google.com/mail/answer/8253?hl=en
Report a phish on Mac Mail: https://support.apple.com/en-us/HT204759
Now that you have a better idea of how to protect yourself from a phish, and recognize them early, you may be wondering what the VSC Cybersecurity Team is doing to keep you safe from phishing. Unfortunately, we can’t keep every phishing email out of your inbox, but we do have some tools in place that help to mitigate some of the more popular phishing attempts.
For example, we have filters in place on our mail system that prevent attacks from impersonating our members; emails coming from ‘spoofed’ addresses of many VSC employees get caught in these filters before they ever reach your inbox. Most of you have probably noticed the big red banner at the top of emails coming from outside senders, cautioning you against clicking links or attachments, since the sender isn’t a member of the VSC. Lastly, since we rely heavily on you, our community, to catch and report these phishing attempts, we send out monthly phishing tests to all VSC employees. These tests come in the form of a suspicious looking email, using common attack techniques in hopes that they will be reported to our Cybersecurity Team, and we know that we’ve done our due diligence in keeping you informed of phishing trends. These tests aren’t meant to ‘catch’ anyone, and in fact, if you were to click on a link or attachment in one of our test phishing emails, you’d be taken to a training that will hopefully teach you a bit more about phishing trends and how to avoid falling victim to them.
Thank you so much for your diligence in keeping the VSC cyber safe!
For some more resources on phishing and reporting cybercrime, please check out some of the links below: