What is Phishing?
phish·ing noun \ˈfi-shiŋ\ : Phishing is an email scam that attempts to obtain sensitive information from unsuspecting users.
How to spot phishing:
A phishing email will attempt to trick you in one of five ways:
1.The Old Fashion Scam: In this type of phishing message, the bad guy will typically just make a direct request for personal information or money. The bad guy will ask that you reply to the email and will then start a dialog with you in an attempt to gain your trust. The bad guy will have a very detailed cover story and will constantly press you to provide more information or to send the bad guy money.
2. A Fake Link: The phishing message may contain a link which takes you to a fake website or which downloads a virus on to your computer. To avoid this, you should always stop and think before you click on a link. Did you expect to receive the message in the first place? Hover your mouse over the link and verify that it is taking you where you want to go. Links can be deceiving. Hover your mouse over the following link and see that the destination is not what is described by the link text: http://www.gatech.edu/. If you are viewing the link on a smartphone, holding your thumb on the link should reveal the actual destination of the link. Please note that 99.5% of all legitimate Georgia Tech websites will have a domain that contains "gatech.edu" (e.g.https://passport.gatech.edu ).
3. A Fake Website: If you received a phishing email with a fake link, you may have clicked the link and it took you to a website asking for your information. To learn how to identify a legitimate website, please read this KB article in Service-Now. If you receive an email that you think wants you to go to a fake website, one strategy is to manually go to your web browser and manually type in the actual URL of the website you are looking for. For example, if you receive an email from what appears to be your bank asking you to click a link and enter your login and password, instead of clicking the link, go to your browser and manually navigate to your banks website. You can also call someone to verify if the message is real. Following the previous example you can call your bank directly and ask if they actually need to verify your information.
4. A Virus Attachment: If you receive a phishing email with an attachment, the attachment most likely contains a virus which will then either send your information to the bad guys, or allow the bad guys to access your computer. Stop and think before you open any attachments. Did you expect to receive the attachment from the sender? Often times the bad guys will pretend to be people you know and trust in order to get you to trust the attachment. If the email and attachment is from an unknown source, delete the email immediately. If the email and attachment appear to be from a trusted source, but not expected, pick up the phone and call the person to verify if they actually sent you the message.
5. Fake Contact Information: If you receive a phishing message which contains a phone number asking you to call if you have questions, this could also be a scam designed to further gain your trust. Don't trust the contact information contained in the email. Navigate to the actual website of the organization in question and obtain their contact information directly from their website.
The biggest thing to remember is that you should never share your login and password with anyone... for any reason... ever.
Why do we concentrate our efforts on phishing training?
- Georgia Tech receives 3 million email messages per day
- Approximately 90% of email received is spam, phishing, or malware
- We want to present a real life phishing message that was recently seen
- Historically we have found 15-20% of people fall for phishing the first time we send it, but through regular training exercises departments have seen that drop to under 2%.
If you receive a message which you suspect may be a phishing attack forward the message as an attachment to firstname.lastname@example.org.