Protect Yourself and Others - Phishing
Phishing scams are possible criminal attempts to steal personal and financial information or infect devices with malware. Phishing emails can appear to be from a legitimate organization, urging you to act quickly to avoid negative consequences. These emails often attempt to entice users to click on a link that will take the user to a fraudulent website that appears legitimate. The user then may be asked to provide personal information, such as account username, passwords, or phone numbers, that can further expose them to future compromises. Additionally, these fraudulent websites may contain malicious code.
No one from NDSU will ever ask for your password
Phishing scams include:
- Mass phishing: The most visible type of phishing, mass phishing involves sending out a large volume of emails to as many end users as possible.
- Clone phishing: Spoofed copy of a legitimate and previously delivered email, with original attachments or hyperlinks replaced with malicious versions, which is sent from a forged email address so it appears to come from the original sender or another legitimate source.
- Spear phishing: Spear phishers have specific targets in mind when creating their phishing scams. They will gather information about their targets from social media and other sources to make a personalized attack that is much harder to detect than a standard phishing email.
- Whaling: Whaling is when a cybercriminal makes a spear phishing attack on a "big fish" such as a celebrity, CEO or employee with a high level of security clearance.
- Advance-Fee Scam: Advance-fee scams take many different forms. The most common attacks ask the target to deposit a fraudulent check and then to return money information to the cybercriminal.
Hooked by a Phish?
If you suspect you have been hooked by a phishing scam, your best option is to take immediate action. Your password will need to be changed and your account inspected for any unwanted changes and activity. If you provided information for an account associated with another organization or company (e.g., bank), contact them so they can secure your account and watch for any suspicious activity.
We recommend you change the password for all accounts that utilized the compromised password. This may include accounts external to NDSU, such as your financial institution accounts and social media accounts. Keep in mind that the best practice is to have a unique password for each account, which can help protect your other accounts from being compromised, too.
If you provided the username and/or password associated with your NDSU or N.D. University System accounts, call the IT Help Desk at 701-231-8685 (option 1) immediately.
Consequences of Getting Hooked
If you get hooked by a phishing scam, your accounts may be compromised and your devices at risk of being infected by malware. If you replied with sensitive data via email or entered your username and password into a malicious website, your information can be used by cyber criminals in a variety of ways.
Your email account alone can be used to:
- Make a profit off of your information or it can be made publicly available
- Access private information including your messages, calendar, chats, photos, voice recordings and location
- Harvest banking and credit card information that can be used to break into your financial accounts
- Access associated retail accounts (e.g., Amazon, iTunes, Netflix, Steam)
- Access or make changes to other academic accounts (e.g., Google Apps for Education, Blackboard)
- Hijack your social media and professional networking sites (e.g., LinkedIn)
- Steal your identity
- Send phishing messages to others, including NDSU students, staff and faculty who are then more likely to fall victim to phishing emails
- Harvest student information contained in your email or associated accounts, which is a violation of FERPA
- Harvest research and academic data contained in your email or associated accounts, which may violate international treaties, federal and state laws, and university policies
- Steal or possibly alter scientific works, journals and other resources that are only available to those who have paid for these materials
Access depends on whether you use the same username and/or password for multiple accounts, what information is contained within your compromised accounts, and what personal information is publicly available online through social media and other directories.
Tips and Advice
Sender Authenticity
Never open an email that looks suspicious. If the sender is someone you don't know, outside of your organization or if the email is not one used by that specific organization, the email can be considered suspicious.
Outlook Web Example:
Mobile Example:
Examine Hyperlinks
Never click on a suspicious link. When hovering over a hyperlink a link should appear showing where it is directing your page towards. If the link is not going to the page it says it is, if the link is a bunch of random numbers and letters or if the link looks as if it is going to a page on the correct website but has additional text that wouldn't normally be there.
Outlook Web Example:
Mobile Example:
Spelling and Grammar
Most organizations proof-read their emails before sending. There should be no spelling or grammatical errors in an email from any credible group of people.
Outlook Web Example:
Mobile Example:
Threatening or Rewarding Language
Never do something because you are threatened over the internet or if the sender attempts to entice you with a reward. This is often the first attempt at grabbing your attention and is usually a clear sign of phishing. A Nigerian prince is not going to make you extremely wealthy if you give him your information. You will not get locked out of any of your accounts if you do not give someone your information.
Outlook Web Example:
Mobile Web Example:
Attachments
Never open anything in a suspicious looking email. Attachments have the potential to be carrying viruses and or malware which are harmful to your machine.
Outlook Web Example:
Mobile Example:
FAQs
Falling Victim
Q: What should I do if I believe I am victim of a phishing scam?
A: If you provided your NDSU username and password, call the IT Help Desk at 701-231-8685 option 1 immediately – your password will need to be changed and your account inspected for any unwanted changes. If you gave the credentials for another institution, contact them so they can secure your account and watch for any suspicious activity.
Other Accounts
Q: Do I need to change my password for other accounts?
A: It is recommended you change the password for all accounts that utilized the compromised password. This may include accounts external to NDSU, such as your NDUS account or financial institution accounts. It is also recommended that you sign out of all you email services, go to portal.microsoftonline.com, login, Click the account circle in the upper right, Click View account, in the first box on the left click Sign out everywhere, Click OK, this will sign you out of all your Office 365 logins.
Determining Phishing Emails
Q: What should I do if I am not sure an email is a phishing email or legitimate email?
A: Please forward the email to the ndsu.helpdesk@ndsu.edu for assistance with determining if the email is a phishing email or not.
Reporting Phishing Emails
Q: Who do I report phishing emails to?
A: If you have received a phishing email, forward it to ndsu.reportaphish@ndsu.edu, otherwise if you are unsure of its authenticity, contact the IT Help Desk at 701-231-8685 (option 1) or ndsu.helpdesk@ndsu.edu.
Spotting Phishing on Social Media
Q: What to do when someone requests to follow you on social media and you don't know him/her?
A: Keep the following tips in mind to protect yourself against social media phishing scams:
- Don't follow people you don't know
- Asses their account. Red flags include:
- New account. Spammers are always creating accounts to reach more people. Sometimes social media will shut down accounts when they are reported by users as offensive or spammers. But it’s just as easy to open a new account.
- Few posts or followers. If the account doesn't post much or have many friends or followers, this could mean it is a newer account that was created for spamming, not engaging in relationships online.
- Ensure the social media account is official or verified. Most social media sites allow organizations and public figures to become "verified" or marked official. Look for a small blue circle next to the name with a checkmark inside like the official NDSU Facebook Page.
Training Materials and Additional Resources
Training Toolkit
Learning Objectives
- Define phishing and identify various types of phishing scams
- Recognize common baiting tactics used in phishing scams
- Examine real phishing messages
- Understand how to protect yourself from being hooked by a phishing scam
- Examine real phishing messages
- Understand how to protect yourself from being hooked by a phishing scam
Test Your Phishing Knowledge
Take an anonymous quiz to test your knowledge. Immediate feedback helps you fine-tune your ability to protect yourself from phishing scams.
Additional Resources
- Arizona State University: Protecting Yourself from Phishing Scams. Arizona State University. Retrieved July 20, 2016.
- Center for Internet Security: Training and Resources. Center For Internet Security. Retrieved August 3, 2016.
- Marquette University: Phishing. Marquette University. Retrieved July 20, 2016.
- Spam & Phishing. StaySafeOnline. Retrieved July 20, 2016.
- Unifying the Global Response to Cybercrime. Anti-Phishing Work Group. Retrieved July 20, 2016.
- University of California Berkeley: Phishing. UC Regents. Retrieved July 20, 2016.
- University of Southern California: Phishing. University of Southern California. Retrieved July 20, 2016