Be Alert: Know How to Identify and What to do with Phishing Emails
In the digital world, there are a lot of people who will work hard to steal your information for financial gain. The practice of phishing – a means to illicitly gain your information through email fraud – is commonplace, and there are a few things Elizabeth City State University employees and students can do to protect themselves and the campus community from digital scammers.
According to ECSU’s chief information officer with the Division of Information Technology, Suresh Murugan, phishing is a “subset of what we call a social engineering attack.” Social engineering attacks come in several varieties and they include “vishing,” or telephone scams, “smishing,” or text scams, and the email variety, phishing.
Phishing scams attempt to trick the user into believing they are receiving a legitimate email, many times spoofing email addresses that are commonly received by the recipient. In the case of ECSU, a university student or employee may receive an email that attempts to mimic a campus address, for example.
“Cybercriminals often use an email address that closely resembles one from a reputable company by altering or omitting a few characters,” said Mr. Murugan.
He says that phishing efforts are becoming increasingly sophisticated. Someone who receives an email such as this should be aware and should question anything that might raise a red flag.
Mr. Murugan says some of the things to look out for, aside from a slightly askew sender email address, are:
- A general greeting that would gear towards a volume of people;
- Emails that suggest there is a problem with your account and request “immediate action,” are marked “urgent,” or “quick.”
- A spoofed hyperlink. The hyperlink may look familiar, however upon closer examination the recipient might find that something is not right with it. Do not click on the link.
“If you hover your cursor over any links in the body of the email, and the links do not match the text that appears when hovering over them, the link may be spoofed,” he said.
Mr. Murugan says you should also be aware of the email layout. An unfamiliar layout, or a layout that does not look quite right, could provide clues to the origin of the email.
Also, he said, keep an eye on the spelling in an email.
“Many of these are coming from non-English speaking countries,” said Mr. Murugan, and added that bad grammar is another red flag.
Attachments often accompany phishing emails. He said if it is an unfamiliar email and you are suspicious of its origin, do not open the attachment.
“They have information embedded in the attachment that might download malware that would precede a larger attack,” said Mr. Murugan.
And if you suspect the email is not legitimate do not, he says, respond to it. You should, he said, use “the rule of thumb, guilty until proven innocent.”
To protect university users, ECSU now requires employees and students to use the two-factor identification system, Duo. This provides, said Mr. Murugan, an extra layer of protection by requiring users to verify their information and the Duo app should be downloaded by the entire campus community.
When a suspicious email is reported to the ECSU IT department, a campus-wide email will be sent out through both the Employee Moderator and Student Moderator systems. These emails will alert the campus to the suspicious email and provide information about phishing and the appropriate action.
Mr. Murugan says additional actions to protect your computer and your network are:
- Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information;
- Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email;
- Don’t send sensitive information over the internet before checking a website’s security;
- Pay attention to the Uniform Resource Locator (URL) of a website. Look for URLs that begin with “https”—an indication that sites are secure—rather than “http.” Look for a closed padlock icon—a sign your information will be encrypted;
- Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic.
If anyone on campus receives an email they believe could be suspicious, forward that email to infosec@ecsu.