Email phishing has long been the method of choice for many cybercriminals who seek to exploit vulnerabilities for personal gain. These attacks are continually revised and refreshed to take advantage of current trends and new strategies used to socially engineer their victims.
Phishing works so well because it takes advantage of human emotion, convincing unsuspecting victims that they are acting in their own best interests. It is often too late when the victim realizes what’s going on and tries to undo the damage done by the fraudulent attack. Common consequences include loss of data and personal information, malicious software (malware) infecting your devices, and loss of control of your devices and accounts. The attackers use any tactic they can think of to trick their victims into assisting with their attacks, frequently with a tone of urgency and an offer of a reward or the threat of a negative consequence.
The Office of Information Security is working hard to develop new protections against these types of threats, but the fact remains that the very best way we can protect our institution is through building awareness of the “red flags” that indicate a phishing attack, and the best practices for identifying them. In most cases, slowing down and carefully reading the message will reveal that what looked legitimate when working quickly, actually had one or more characteristics common to many of phishing attacks.
In each newsletter edition we publish, we will provide valuable information about the specific types of attacks we are seeing and provide our readers with the best tools available for identifying, reporting, and developing new capabilities to shield ourselves and our institution from phishing threats. Familiarizing yourself with the phishing safety tips below and using them to evaluate any email that seems suspicious or urgent will help you improve your resilience to these socially engineered scams.
10 Phishing Safety Tips
- Don’t click.Instead of clicking on any link in a suspicious email, type in the URL, or do a search on wustl.edu for the relevant department or page. Even though a website and/or URL in an email looks real, criminals can mask its true destination.
- Be skeptical of urgent requests.Phishing messages often make urgent requests or demands. When you detect a tone of urgency, slow down and verify the authenticity of the sender and the request by using official channels, rather than the information provided by the sender.
- Watch out for grammar, punctuation, and spelling mistakes. Phishing messages are often poorly written. Common hallmarks of phishing are incorrect spelling, improper punctuation, and poor grammar. If you receive an email with these problems, it may be a phishing attempt. Double-check the email address of the sender, don’t follow any links, and verify the authenticity of the request using official channels.
- Keep your information private.Never give out your passwords, credit card information, Social Security number, or other private information through email.
- Pick up the phone. If you have any reason to think that a department or organization really needs to hear from you, call them to verify any request for personal or sensitive information. Emails that say “urgent!” use pressure tactics or prey on fear are especially suspect. Do an online search for a contact phone number or use the contact number published in the WUSTL directory.
- Use secure websites and pay attention to security prompts. Always check if you are on a secure website before giving out private information. You can determine whether a website is secure by looking for the “https://” rather than just “http://” in the Web address bar or for the small lock icon in the Internet browser. If your browser cannot validate the authenticity of the website’s security certificate, you will be prompted. This is frequently a telltale sign of fraud, and it would be a good time to pick up the phone or report a suspicious message.
- Keep track of your data. Regularly log onto your online accounts and make sure that all your transactions are legitimate.
- Reset any account passwords that may have been compromised.
- Know what’s happening. Visit the Office of Information Security page ( https://informationsecurity.wustl.edu/home/alerts/ ) often and follow us on Twitter ( https://twitter.com/WUSTL_InfoSec ) to get the latest WashU Information Security Alerts.
- Report it. If you are a victim of an email scam, report it to your IT department, the OIS (email@example.com), or HIPAA Privacy Office. When you report a phishing attack, we will investigate it and if necessary, remove other instances of the attack from our systems. Reporting the attack will help protect others and our institution.
For more information about phishing, please take a look at the following posts:
- Protect Yourself from Social Engineering: https://informationsecurity.wustl.edu/protect-yourself-from-social-engineering/
- Top Phishing Threats Last Year—Impersonation and Credential Phishing: https://informationsecurity.wustl.edu/top-phishing-threats-last-year-impersonation-and-credential-phishing/