Introduction
"Phishing" refers to an event where an individual attempts to "fish" for personal or financial information via email. The following sections define actions to take if you suspect you have been "phished"; describe in general the forms phishing attacks can take, and describe specific types of phishing attacks that you may experience.
What to Do If You Receive a Suspected Phishing Email in Your Inbox
1. Open a new email message with this recipient: stop-spoofing@indstate.edu
2. Click on “Attach Item” in the toolbar at the top of the message
3. Click on “Outlook Item” in the list that appears
4. Use the email folder list to find the message you suspect is a phishing attempt
5. Click on that message, and it will appear in the open email message as an attachment
6. Write a brief explanation of your reason for suspecting the message is a phishing attempt
7. Send the email
Our OIT security staff monitor this mailbox and should address your email quickly. Please simply ignore or delete any messages in your "Junk" folder.
If you are not able to follow these instructions for some reason, always feel free to report the event by calling the Technology Support Center at 812-237-2910.
What to Do If You Have or Suspect You Have Responded to a Phishing Attempt
If you have or believe you may have provided information to a hacker in response to a phishing attack (or any other kind of attack), you are required by ISU policy to report the incident. Use the Security – Report an Incident form at:
https://indstate.teamdynamix.com/TDClient/1851/Portal/Requests/ServiceDet?ID=26161
Phishing - General Information
Phishers are getting better every day at making their messages look authentic, so it is necessary to take a number of precautions. In most cases, simply opening an email or reading a message is safe. For most attacks to work, you have to do something after reading the message, such as opening an attachment, clicking on a link, or responding to a request for information. To protect yourself, keep the following in mind.
- Just because a message appears to come from a friend or someone you know does not mean the message is safe. Cyber criminals may have infected their computer, hacked their account or “spoofed” (in essence, faked) the from address. If you are suspicious about a message from someone you know, call the person to verify if it was truly them that sent it.
- Be suspicious of any email directed to “Dear Customer” or some other generic salutation.
- Be skeptical of any message that requires “immediate action,” creates a sense of urgency or threatens to shut down your account.
- Be suspicious of messages that claim to be from an official organization but have grammar or spelling mistakes. Most organizations have professional writers and do not make these mistakes.
- Before you click on a link, hover your mouse over it. This will display the true destination of where you would go. Confirm that the destination displayed matches the destination in the email and that it is going to the organization’s legitimate website. Typing the website into your browser is even better. For example, if you get an email from your bank asking you to update your bank account, do not click on the link. Instead, type your bank’s website in your browser, then log into the website directly.
- Be careful with attachments and only open those you were expecting. Cyber criminals can send you infected attachments that can potentially bypass your anti-virus.
Using email safely is ultimately about common sense. If a message sounds suspicious or too good to be true, it is most likely an attack.
Student Employee Scam, 'Spear Phishing' Emails Target Online Banking
ISU employees should be on alert for fraudulent "phishing" emails designed to steal employee credentials to university and banking websites. The emails have targeted university employees at multiple institutions nationwide to reveal online login and password information or submit the credentials to a fraudulent site. Cyber-criminals use the credentials to modify banking information to divert paychecks.
Another approach that is sometimes part of the online banking scam mentioned above that involves using students that are looking for employment. The scam either uses funds from the online banking scam deposited into the student’s account or from fraudulent checks mailed by the scammers to the students who then are tricked into wiring money to the scammers because they are told it is part of their job duties.
Do not click on or respond to any message that asks for credentials or personal information. ISU will never ask for individual login, password or other personal information via email.
If you have responded to an email or you are made aware of a possible scam involving student employment, follow the instructions at the top of this article.
Phone Phishing Campaigns
In this type of scam, individuals may call you claiming to be from Microsoft, Google, Apache, or another major technology company. The caller may claim to be from a tech support unit, a security unit, a Technology Assistance Group, a service center, a research and development team, or some other such unit. The chances are extraordinarily high that the caller is attempting to:
- Trick you into installing malicious software that could capture sensitive data, such as online banking user names and passwords. They might also then charge you to remove this software.
- Take control of your computer remotely and adjust settings to leave your computer vulnerable.
- Request credit card information so they can bill you for phony services.
- Direct you to fraudulent websites and ask you to enter credit card and other personal or financial information there.
- Ask you for your username and password.
These callers may know basic information about you by means of our campus directory and other publicly available information. They may use these details in an effort to disarm you of any initial skepticism. They will also use advanced techniques by "verifying" wrong information with you in the hopes that you will correct them. For example, they may say something like, "We just need to verify that your computer has an IP address of 192.168.1.1. Is that accurate?" with the hopes that you will give them your correct IP address.
Please approach any unexpected phone call with an appropriate amount of skepticism and hang up immediately if it appears in any way to be such a telephone scam. If you have some sense that the phone call may be legitimate, it is better to err on the side of caution: call the company back directly using published company phone numbers.
Do not give any information about yourself, your computer or our computing environment to these individuals. Never reveal your username or password to anyone. And, should you believe that you have fallen victim to such a scam, report immediately using the Security – Report an Incident form linked at the top of this article.
Call the OIT Technology Support Center at 812-237-2910 if you have questions or concerns.
Additional Resources
The Office of Information Technology offers SANS "Securing the Human Training" modules though Sycamore e-Learning. The program consists of short and informative videos that cover important topics such as Safe Browsing, Email, Mobile Device, and Data Security as well as HIPAA, FISMA and FERPA standards. These videos will help you keep yourself safe online, protect your data, and understand important security issues. The modules will be accessed by going to the ISU portal and selecting the badge labeled “Sycamore e-Learning”.