Phishing is a technique used by cybercriminals where well designed and legitimate looking emails and pop up messages lure victims into revealing their username, password, credit card number, Social Security number, or other sensitive information. Even though the problem is not new, there never seems to be a shortage of victims.
Successful phishing messages often look like what you would expect to get from institutions you trust. Messages used in phishing scams often are identical from those used by the banks, schools, and merchants you deal with. However, you should never trust email or pop up messages that ask you to confirm, validate, or update your information by responding to the email or by following a link. The Virginia Tech community is not immune to Phishing attempts. Virginia Tech will never send a message to you asking you to validate, confirm, or update your personal information and passwords.
Phishing emails often have the following characteristics:
- Phishing emails will ask you to reply with needed information such as username and password. sometimes the will ask for other items such as your social security number or date of birth.
- Phishing emails may ask you to click on a link inside the email. The link will often lead you to another site to ask you to fill out a form supplying information or it may download information stealing malware.
- Cyber criminals will often use phishing emails with attachments that when opened can infect your machine with malware.
- Phishing emails can have a forged sender’s address to mask the cyber criminal's identity and make the email seem legitimate.
- Cyber criminals can also create hyperlinks inside of emails that are misleading.
Spear Phishing has become more common at Virginia Tech. Spear phishing is a targeted phisihing attempt against an individual or group and appears to come from a trusted source. The emails are crafted to look like they appear to come from an organization that you work with or contain information that you might find interesting.
- Never respond to messages that ask you verify, update, or validate information they should already have.
- Never reply to any message of email that asks for your PID, password, account information, or anything else that would be considered sensitive.
- Never click on a link in a message or pop up.
- Never call phone numbers that are provided in messages that ask for personnel information.
- Keep your anti-virus software up to date and your firewall closed as much as possible. Even though anti-virus cannot stop you from simply telling someone your personal information, it may protect from some malicious software installations.
Examples of Phishing Emails
Phishing Example: Fake Survey
The example below is a common phishing email that uses a legitimate business name to lure victims into clicking a link. This particular link poses as a login in attempt to steal a usersname and password.
Phishing Example: Attempt to steal PID and Password
This example is very common at Virginia Tech. This phishing email references existing Virginia Tech web addresses and uses a legitimate sounding email address. It is important to know that Virginia Tech will Never ask you for your PID and password by email.
Phishing Example: Help Desk Email
This phishing email was sent to a user posing as a IT help desk ticket threating to cut access to email. Phisihing emails similar to this one have been successful by preying on victims fears. Never send your password to anyone by email.
Phishing Example: Fake Banking Email
This phishing example uses the name of a legitimate bank to try to trick victims into sharing their banking credentials. It is a good practice to go straight your banking website instead of clicking on links inside of emails.
Phishing Example: Spear Phishing
This is an example of a well crafted spear phishing attack sent out at the beginning of tax season. Emails like this can be successful because they are legitimate looking and timely.