Over the past 48 hours, we have seen a large spike in email phishing activity. Our Support Department has received calls from several users who have reported receiving email messages that turned out to be phishing attempts. We thought it a good time to share some information about what email phishing attacks are, how to identify an email that is attempting to phish information and what to do if you believe you have received an email phishing message.
What are email phishing attacks?
According to the US Department of Homeland Security’s Computer Emergency Readiness Team, email phishing is an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques. Phishing emails are crafted to appear as if they have been sent from a legitimate organization or known individual. These emails often attempt to entice users to click on a link that will take the user to a fraudulent website that appears legitimate. The user then may be asked to provide personal information, such as account usernames and passwords, that can further expose them to future compromises. Additionally, these fraudulent websites may contain malicious code.
Tech-savvy con artists and identity theft criminals will use spam, fake websites constructed to look identical to real sites, email and instant messages to trick you into divulging sensitive information, like bank account passwords and credit card numbers. Once you take the phisher's bait, they can use the information to create fake accounts in your name, ruin your credit, and steal your money or even your identity.
How do I identify a phishing email?
If you receive an email message that appears to have been sent from a coworker, vendor or other trusted third-party and it’s requesting you to click on a link, open an attachment, take an action (like issuing a check or buying gift cards), or sending information about employees, bank accounts, customers or vendors, it may be a phishing attempt. Stop and scrutinize the message carefully. Here’s some clues to look for that will help determine if the message is a phishing attempt:
- An email phishing message typically will use awkward sentence structure or use words in the wrong context. Nouns and punctuation may be used incorrectly.
- An email phishing message will suggest that you requested some information and will ask you to click on a link or open an attachment.
- A phishing email can look like a fundraising message for a recent disaster or other newsworthy event.
- A link may be disguised to look like a legitimate site, such as Amazon, Microsoft or a bank.
I think I just received an email phishing message. What should I do?
If you think you’ve received an email phishing message, the most important action to take is to stop – don’t click any links, don’t open any attachments, and don’t reply. Some other actions to take are:
- Don't open messages from unknown senders
- Do not click on any links. By hovering your mouse pointer over the link, you can see the actual link displayed in a pop-up info balloon. If the link address looks unusual or does not match the site it states it’s from, it’s a phishing attempt.
- Call the sender and ask them if they sent you the message. Only follow the link or open the attachment if you can verify its legitimacy with the sender.
- Do not provide personal information to any unsolicited requests for information
- Type in a trusted URL for a company's site into the address bar of your browser to bypass the link in a suspected phishing message
- If you want to donate, visit the fundraising organization’s web site directly, don’t use any links from any other source.
- Only provide personal information on sites that have "https" in the web address or have a lock icon at bottom of the browser
- Immediately delete messages you suspect to be spam
Email phishing messages can be safely deleted. If a message appears suspicious and you would like help determining whether it’s a phishing attack or not, please call our office at (209) 790-4560 option 2, or send us an email at firstname.lastname@example.org.
If you believe you have already responded to an email phishing message, clicked on a suspicious link or opened a suspicious attachment, notify your supervisor and manager, and then call our office at (209) 790-4560 option 2.
Remember to always stay safe online and think before you click!