Quickstarts

Phishing: How to Avoid Taking the Bait

What is Phishing

Phishing is most commonly done through “spoof” links sent in email messages that attempt to direct users to websites that strikingly resemble sites with which they are familiar. A common phishing technique might be to email you from an email address similar to your bank or your place of work. Next the scammer attempts to replicate the landing page of your organizational or bank website to collect your login information, which you willingly provide thinking it is genuine.

Here are a few versions of Phishing attempts:

Deceptive Phishing
This is one of the most common methods of phishing, and is done through spoof websites as outlined above. Phishers will usually send out messages urging users to log in to their account in order to secure it.

Spear Phishing
This form of phishing is a bit more advanced. The hacker will break into a company’s social accounts and target connections. These phishers are familiar with the user they are targeting, so their attacks are more specific and might come from an incredibly familiar email address. Most cyber attacks are done through spear phishing. At USF, any account that has access to the directory can glean information, along with publicly available directory information which is surprisingly available.

Pharming
This form of attack manifests itself through fake website domains. Again usually initiated through an email, but also as a result of browsing or using keyword search in web search engines, the victim clicks on a site link and is redirected to a spoof website that asks for personal information. To avoid this from happening, always double check the url of a site before you enter any secure information. Look for each website’s secure certification at the top left hand of your web browser.

Text-Based Phishing
Phishers don’t only use emails to deliver misleading content, and often victims are targeted through simple text messages claiming that your account has been compromised (ironic), or that Sheriff’s office has been notified of some act that you have allegedly committed. To secure he account or to address the issue, the victim is told to log in through a provided link. From there, they can use your account information for nefarious purposes.

Gift certificate schemes are also common, or fake discounts from common stores. The rule of thumb is that if something seems too good to be true, it probably is. If you ever click on a link that immediately directs you to a survey of some kind, especially one that asks you for any financial information, then it is a scam. It isn’t safe to fill out any of the information on this type of link.

Phishing on Social Media
Phishing scams have been found on Instagram and Facebook, but twitter is one of the most popular sites for scammers. According to news station WMUR9, twitter phishing schemes are initiated when a user tweets a complaint about the company. Then, a spoof twitter account will tweet the user with a link they’ll use to hack the accounts. For instance, a user might tweet “The @BankofChoice app won’t let me log into my account again.” Then, a phishing account resembling the official Bank of America account might tweet the user back saying, “We’re so sorry to hear about that. Click on this link to secure your account.”

Social media has made customer service representatives more accessible to users than ever. Unfortunately, this has made users just as accessible to scammers, through phone scams.

How to Avoid Being Phish Bait
Email, texting, and social media are not secure methods of communication and due to this, legitimate businesses will not ask for personal information through these venues. Keep this in mind when looking out for phishing schemes. If you ever need secure information from your bank, you should either contact them by phone or go there in person. When calling your bank, be sure you are using the number present on your banking statement or credit card.

Keep your eye out for glaring grammatical or spelling mistakes in professional emails or posts. Most organizations will thoroughly proofread any content they are producing before making it public. A phisher is less likely to pay mind to things like grammar. Emails sent out by organizations you have accounts with will most often include your first name in the greeting. Scammers are more likely to include a generic greeting like, “dear valued customer”. If you have suspicions, compare the message to others from the organization. Look for any differences in syntax, format, links, etc. If anything seems off, then don’t click on anything and delete the email.

Windows Defender for Windows 10 has anti-malware prevention capabilities, as well as anti-virus controls. SmartScreen is another valuable tool for checking known attack sources.

Here are some more tips on how to handle phishing scams:

  1. Report phishing emails to the organization being impersonated. Some companies even have designated email addresses exclusively for reporting scams.
  2. Don’t click on any links or download any files before confirming that the message or post is legitimate.
  3. “Hover over any links before you click on them. If the URL of the link doesn’t match the description of the link, it might be leading you to a phishing site.” (Courtesy of Google Support.)
  4. If you are going to provide personal information through a company’s website, make sure you typed in the website link yourself.
    Make sure the email address or username match the name displayed.

To summarize, there is no such thing as being too careful. Check, check, and then check again. Your safety is what counts the most!

Last edited on June 29, 2022