Phishing, or the use of emails to trick victims into visiting a malicious website, downloading malware, or surrendering information or access to information, is one of the hacker’s most valuable tools. With the widespread use of email for both personal and professional communication, phishers have many opportunities to scam unsuspecting users. The flexibility of text, links, and attachments means phishers also have many options once they bait their victims.
Why are phishing scams dangerous?
Phishing scams present a multitude of threats to both individuals and organizations.
Because they are email-based, they can be sent to large audiences just as easily as small ones. Phishers often acquire email directories, especially if they plan to launch targeted attacks against specific audiences.
In targeted spear phishing attacks, phishers often write specific emails intended to impersonate legitimate individuals or organizations. For example, a spear phishing attack against the University of Delaware might be disguised as a system email from a vague department such as the “UD Financial Division,” or “UD Help Desk.” Targeted messages such as these rely on employees’ inherent trust for their organization and on the unlikelihood of every employee knowing every department name or individual title. If even one person falls victim to the scam, the phisher can potentially gain access to critical data or entire systems.
Any phishing scam can be dangerous. A successful phishing attempt can result in the compromise of your personal information, your computer accounts, your financial accounts, and even your devices. Links and attachments can deliver malware to your phone, tablet, or computer. That malware can harvest your information, make your device vulnerable to further attacks, and even give the phisher control of your device.
What’s the motivation?
The basic intent behind phishing is getting access to information. Phishers want any private information they can get; even if they don’t use it themselves, they can sell it to other criminals. Cyber criminals can trade stolen data like any other commodity.
Personal information, especially personally identifiable information (PII), can be used to commit identify theft. Stolen account credentials are also valuable; they can be sold on the cyber black market, or they can be used to fuel phishing campaigns that can potentially compromise other accounts and harvest additional information.
University information is also highly valuable. The University of Delaware conducts extensive proprietary and contracted research in many sectors. If a phisher manages to breach the system, he or she could gain access to millions of dollars in information and patents, which can be sold to the highest bidding organization or government. Additionally, the University must store a large amount of personal information from both student and employee records. If the consequences for individual data theft are severe, the consequences for institutional data theft are even greater.
Phishing is also a valuable first step in infiltrating an organization’s IT infrastructure. If the phisher can deceive even one person at the University, then he or she has the potential to do it again and again, each time widening the hole and extracting more information from personal and University systems.
How can you identify phishing scams?
Most phishing scams can be identified by carefully checking the emails for some common flaws. Use these practices to keep yourself and your information safe.
- Check the sender – Legitimate organizations typically own their own domains. For example, UD’s email comes from udel.edu. If you receive an email that purports to come from UD, but that actually comes from a non-udel.edu domain, it may be a scam. Be careful, though. It’s possible to “spoof,” or imitate, legitimate email domains. Always check the rest of the message and verify it before trusting it.
- Check how they address you – If you work for or do business with an organization, that organization will know your name. If the email addresses you vaguely with a “Dear customer” or “Webmail user,” then something is probably wrong. Most organizations have email systems that automatically insert your name in the salutation, even in mass emails.
- Check for errors – Although it’s possible for legitimate emails to contain errors, it’s unlikely. Most organizations proofread their emails. Poor writing, formatting errors, and awkward flow are some of the tell-tale signs of phishing scams. In targeted attacks, look for unfamiliar wording; if the email says something in a way other than your organization would say it, be cautious.
- Check for consistency – If an email tries to tell you something other than what an official source does, you might have found a phishing scam. For example, if you receive an email telling you your mailbox is using 200 of 250 megabytes, but your email account page gives you different numbers, then the email is clearly a scam.
Reproduced with permission. Please visit www.SecurityCartoon.com for more material.
Best practices
There are several basic steps you can take to protect yourself and your information from phishing scams:
- Be cautious – Many phishing emails contain errors or inconsistencies that make them easier to identify. Don’t assume that an email is legitimate simply because it claims to be legitimate or because it looks official.
- Don’t click links – One of the most dangerous tools in the phisher’s arsenal is malware. Active links in phishing emails often direct users to hacker-controlled Web sites that download and install malware on devices, then give the hacker access to the device’s data or systems. Inspect links by hovering your mouse cursor over the link and checking the true destination in the bottom left corner of your browser window. If you must follow a link, copy and paste it into your browser’s address bar rather than clicking it.
- Never download unsolicited attachments – Often, phishers use attachments such as “free vouchers” or “cool pictures” to deliver malware to your device. Don’t download attachments from emails unless you were expecting both the email and the attachment and you can verify the legitimacy of both. Always scan attachments for viruses before opening them.
- Verify the information – Usually, the information found in legitimate organizational emails can be verified by that organization’s other resources. For example, a UD email informing you that you need to change your password would be verified by a UDaily article or by an announcement on UD’s website.
- Never provide your confidential information – Legitimate organizations will never ask you to disclose your personal information, including your account credentials, through email. If you receive what appears to be a legitimate email from an organization you know, go directly to that organization’s web site to verify and perform any requested actions. Don’t respond to the email.
- Report and delete – If you encounter a phishing email, report it to the IT Support Center, then delete it from your inbox. In doing so, you alert others to the risk, and you eliminate the risk to yourself.
For more recommended practices, visit the Phishing Resources page on the UD IT Security Web site.
For examples of phishing emails, visit the Secure UD Threat Alerts site and look through the phishing category. You can also find annotated examples on the UD IT Security Web site.