Phishers are continuing to catch the attention of the NC State campus community with targeted email attacks.
To protect yourself, you need to know how phishers craft and target their messages. You also need to carefully read and understand the content of the email and determine if any requests are legitimate.
In a July scam, phishers sent email purportedly from a university administrator or colleague requesting gift cards for other staff members. This attack is a prime example of the more sophisticated techniques phishers employ — the exploitation of real-world identities and connections. Phishers behind the email were able to deceive employees by creating an email address that mimicked an actual campus email address: unityID@my.com.
The actual phishing email read: “Available?”
When the employee responded, “Yes,” the employee received the following reply: “Okay good, I’m in a meeting I need you to get a task done for me right away, is there any Walmart or Store close to you?”
When the employee responded “Yes” again, the employee received the following reply: “okay good, Here is what you need to do for me real quick. I need a Google Play gift cards, can you get some at the store right now? I will reimburse as soon as I’m out of the meeting with any inconveniences. Let me know to advise on denominations to purchase. Thanks!”
In spear phishing attempts like the above, phishers not only pose as a boss or colleague, but they also understand what is important to targeted audiences, like job openings, citizenship status, and student loan payments, and they use these as ways of gaining sensitive information — often in a quick time frame. These sophisticated strategies are designed to get more responses than past tactics — and unfortunately, they are effective.
To keep from getting lured into their deceptive net, follow these helpful tips:
- Know your senders
Phishing emails can look like they come from trusted sources. Before clicking on links or opening attachments, ensure you recognize the sender’s email address (Note: The email address above mimicked an ncsu address, but was in fact from my.com). When in doubt, don’t click on links or open attachments.
- Beware of phishy emails
Phishing emails may be vague or sound “funny” and can contain multiple spelling or grammar errors. If you receive such an email that appears to come from a person you know, contact the sender by phone for verification. Do not reply to the sender by email, as you may be communicating with someone who has hacked the sender’s account.
- Don’t forward phishing information to others, especially the active bad links
You may want to warn your friends, co-workers or customers of a phishing attack by forwarding them a phishing email. With some attacks, you can get your account phished or device compromised just by clicking on the email link that directs you to a fraudulent website or form.
- Instead, send a summary of the phishing email text and subject line
You can mention the links or take a screenshot of the original email, but do not include the real one. Never forward a “loaded” phishing email, and tell others not to do so.
- Don’t share sensitive data
No matter how “official” an email appears, legitimate companies and organizations will never ask for personal information, such as passwords and account numbers via email. Such phishing emails often contain urgent messages, requesting that you provide sensitive data to avoid an action being taken against you.
- Recognize phishing in all its forms
Phishing attacks aren’t limited to just email. They may also come in the form of instant messages or text messages (aka smishing) or even phone calls (aka vishing). Follow the same precautions you would for email when receiving links, attachments or requests for personal information by any of these methods.
- Ensure your antivirus software scans for malware
Viruses are only one type of malware, so confirm that your antivirus is also protecting your devices against other malware, such as worms, spyware, nagware, trojans, adware, and a host of malicious codes.
- Keep up with phishing trends and tactics
Pay attention to articles and alerts concerning current phishing scams, especially during certain times of the year, such as the tax season. See IRS Tax Scams / Consumer Alerts.
- Monitor and report suspicious activity
- When possible, view university emails using Gmail mobile and web clients. Potentially phishy messages will often be flagged in Gmail with a warning. Also, check your Gmail account activity to spot any unusual or unauthorized actions.
- In your Google email, select Report phishing from the drop-down menu in the upper right corner of your message. See Avoid and report phishing emails.
- You can also send new phishing emails to email@example.com. Make sure you include the full email headers.
- Turn on Two-factor Authentication to protect the data in your Google Apps @ NC State account and your personal email address. To view a list of applications that support 2-Step Verification, see Two Factor Auth (2FA).
- Store sensitive university data in the appropriate storage location.
See Storage Locations for University Data.
As always, contact the NC State Help Desk at firstname.lastname@example.org or 919.515.4357 (HELP) with any concerns or questions about suspicious emails, before you click on any links.
For additional information on phishing and computer safety tips, refer to the following resources: