If you’re reading this, you may have spotted February’s test phishing email! This email was sent as part of the Secure UD “Take a BITE out of phish!” campaign, a University initiative to raise our community’s awareness about phishing attacks, their consequences, and how to avoid becoming a victim. Each month, a random sample of employees will receive a harmless test phish like this one:
Now let’s look at what makes this email untrustworthy:
- Check the sender. If the “from” address is unfamiliar, take a few extra moments to examine the contents of the email. In this case, the email is sent from “email@example.com,” so you should ask yourself if this is an address you recognize.
- Be aware of “are you there?” phishes. In recent months, UD has seen an increase in targeted phishing attacks that usually start with a simple introduction like “Are you there?” or “Are you available?” Read our article about these particular kinds of phishes.
- Don’t click links. Links in a suspicious email may take you to a criminal or malicious website. When in doubt, hover your mouse over the text of the hyperlink (you should see the full URL, which will help to show whether it leads to a legitimate website).
- Look out for grammar and spelling errors. Scam emails often contain typos and other errors, which are red flags indicating that the email probably didn’t come from a legitimate source. For example, the sentence “If you can do me this favor; here are the gift cards and amounts that I need” is not grammatically correct.
- Does this make sense? Ask yourself if the contents of the email make sense. In this email, there is a vague mention of a “favor” and a request for gift cards, and it is signed from “Cathy.” Take a couple seconds to think if this request and signature is something you recognize. In this type of cyberattack, scammers send an email that appears to come from a trusted source (e.g., a University official such as a president, dean, chairperson, or other position) in an attempt to commit fraud by persuading you to purchase gift cards, initiate payments or wire transfers, or divulge sensitive information. Spear phishing differs from generic phishing in that it’s more targeted, often including familiar names, organizations, or logos to create a convincing lure.
Always exercise caution; if you receive a suspicious request for your payment information, instructions to visit a suspicious website, or download a suspicious attachment, forward the message to firstname.lastname@example.org.
And as always, Think B4 You Click!