Security Awareness: Don't get hooked by Phishing Scams

What is phishing?

Phishing scams are a technique often used by hackers and identity thieves to compromise accounts and install malware. While conmen have been tricking people out of their money for thousands of years, and impersonating someone else is nothing new, high-speed communications technologies like e-mail and chat programs make it easier for bad actors to trick people out of their money.

Phishing is a social engineering method in which the attacker uses an email message or phone call to lure unsuspecting recipients into giving out personal, financial, or other sensitive information, which the attacker then uses to commit identity theft, gain access to victim's accounts, or hack their computer. The email or call usually appears to come from a legitimate person, much as a worm on a hook might seem legitimate to a fish; thus the name, "phishing" (fishing).

How do I know if an email is phishing?

ITS has compiled the following tips to help you avoid falling prey to phishers:

  • Scrutinize all emails before downloading attached files or clicking links.
    • Verify that the email address of the sender is legitimate and someone you know. It's not enough to have the same name and picture; the email address, including the domain (the part after @) should be the same, too.
    • Be skeptical of messages that have poor spelling or grammar, sloppy formatting, or a generic greeting such as “Dear Customer” rather than your name.
    • Beware of common intimidation tactics such as “Urgent action required!” or “Your account has been compromised!” If you're concerned, contact the sender through other means to verify the request.
    • Be skeptical of any email with that urgently requests financial information. If you're not sure about a request, contact the sender through other means to verify it.
  • Don’t click on unrecognized links.
    • Want to know where a link is actually going? Hover over it with your mouse cursor to reveal the actual web address.
    • At MSU Denver, all email links are checked for legitimacy through the Outlook SafeLinks feature. However, the ever-changing landscape of phishing attempts means this may not always catch a fake link, so you should still verify links before clicking them, though!
    Don’t download “free” software onto your PC; this is a common gateway to getting scammed.

Example of a phishing e-mail:

Dear Outlook Account User, This message is from Outlook user care messaging center to all employee and student, to all Outlook account owners. We are currently upgrading our data base servers and e-mail account center. We are deleting all compromised account during the last academic break. You will have to Authenticate your Outlook Account to prevent a permanent closure of this email address/web-mail account. To Authentication CLICK HERE<http://microsoftportalwebaccess.weebly.com/> Successfully authenticated addresses will be automatically notified via inbox. Warning!!! Account owners who do not authenticate their account after receiving this update will have his or her account terminated. We are committed to protecting your privacy. Your sensitive details will not be shared with any third party. MICROSOFT CARE CENTER HELP DESK © 2014 Microsoft Corporation. All rights reserved.

What do I do if I've received a phishing email?

DON'T respond to phishing emails

Scammers are often working off of large lists of email addresses and have no idea which of those accounts, if any, are actively monitored, or even still open. Any response, even if it's to call out the message for what it is, signals to the scammer that someone is paying attention to that address. And just because you didn't fall for this phishing attempt doesn't mean you won't fall for the next!

DO report phishing emails

Most major email clients have built-in reporting functionality that allow users to bring attention to a suspicious or malicious email, with the added benefit of blocking the sender's address. If you suspect you've received a phishing email, don't be shy about reporting it!

At MSU Denver, if you're unsure about the legitimacy of a message, you can report it to ITS for the Security team to review and get back to you. If you're confident a message is phishing, you can report it to Microsoft directly using the same steps used to report Junk Email.

What do I do if I've fallen for a phishing email?

Don't panic!

If you've given out sensitive information, there are steps you can take to protect yourself and your accounts. If you act quickly, you may be able to avoid serious losses.

  1. If you provided login information, you should change your password immediately. If you use this password on other accounts, change the password for those accounts as well.
  2. If this was a breach of MSU Denver information (including information about you as an employee), you should immediately report it to ITS. The security team will be able to help you with next steps.
  3. If you provided information about yourself, follow the guidance in our article, What do I do if I revealed my personal information to a phisher?

Additional Resources

Print Article