Phishing

What is phishing?

Phishing (pronounced fishing) is the act of using methods of communication (such as e-mails) for the express purpose of obtaining personal information (such as passwords or credit card numbers) or manipulating others to perform unauthorized actions (such as bank transfers or purchases).

There are many forms and styles of phishing. Most involve fraudulent or hijacked e-mail accounts posing as a reputable individual, team or company. The e-mail usually requests a simple action (please pay this vendor, please click on this link, please verify your account information, etc). Some add company logos, color schemes and official sounding titles to make them look more authentic. What makes phishing attacks successful is they prey upon human nature: to be helpful and trusting or to act out of fear or worry.

  • Vishing: phishing using voice calls or voice mail
  • Smishing: phishing using text messages
  • Spear phishing: targeted phishing
  • Whaling: even more targeted phishing, generally directed at the senior leadership level (such as CEO, presidents, etc)
  • Search engine phishing: creating fake look-alike websites
  • Were you expecting this e-mail?
  • Who sent it? Do you know them? Does it seem reasonable? (see example #1)
  • Does the sender's e-mail seem reasonable? Does it even match the sender's name? (see example #2)
  • Is this e-mail really even for you? (see example #3)
  • Is the e-mail professionally written and presented, virtually free of grammar and spelling errors? (see example #1, #2 and #4)
  • What is the tone of the e-mail? Beware of e-mails that try to get you to act out of pressure, fear, and/or worry. (see example #4)
  • Does the sender want you to click a link? If so:
    • Does that seem reasonable (vs just sending an attachment)?
    • Hover your mouse over the link. Does it seem reasonable (check the domain)? (see example #5)
  • Does the sender want you to download something? Great care should be taken if this is the case, as this file may be malware.
  • Who signed off?
    • Does it seem reasonable? (see example #1)
    • Does it even match who sent it? (see example #2)
  • If you are unsure if this e-mail is real or not, you can do one or more of the following:
    • Call the individual or company to confirm. Do not use the contact information found in the e-mail (such as phone number, e-mail or website address). Instead, look it up yourself.
    • Investigate it yourself.
    • Ask ITS. You can forward the e-mail to the Help Desk (helpdesk@ccsf.edu) and we will look into it.
  • If you've responded to the e-mail:
    • IMMEDIATELY change your password and any other accounts that use the same password. (Security Tip: Do not use the same password on multiple accounts. See Safe Computing Practices for more info.)
    • Check your rules. The bad guys like to add e-mail rules that send a copy of everything to them.
    • Contact ITS. E-mail or submit a ticket (helpdesk@ccsf.edu or www.ccsf.edu/help-desk)
    • Scan your computer for malware
    • Continue to monitor your accounts for suspicious activities.
  • We highly encourage everyone to enable Multi-Factor Authentication (MFA) whenever possible (See Safe Computing Practices for more info).

Example #1:

From: IT tame of SF colleg <it-sfc@sf-colleg.edu>
Sent: Friday, September 8, 1995 4:30 PM
To: Barbara Smith <barbara.smith@ccsf.edu>
Subject: Emportnt documnt

You need to look at immeditately get this very empourtent document now before its taken gone and you don't get to see. Then you account will be closed forever.

Your IT Teem Dept

 

Red flags:

  • Sender is suspicious. Who is "IT tame of SF colleg"?
  • Not from an @ccsf.edu account
  • Numerous typos, spelling mistakes, grammatical errors, poor English and not professional

Example #2:

From: Tyler Durden <e.nortonoffc@lijang.snezhinsk.ru>
Sent: Friday, October 15, 1999 4:19 AM
To: Mary Jones <mary.jones@ccsf.edu>
Subject: Club meating tonite

Last chance. Don't talk about, just regester here now or be fourever let out.

Signed,

Brad

brad1218@palahniuk.fr

 

Red Flags:

  • Sender's name and e-mail doesn't seem to match
  • Sender and signature don't match
  • Numerous typos, spelling mistakes, grammatical errors, poor English and not professional

Example #3:

From: A. Smith <a.smith@ccsf-email.com>
Sent: Friday, March 31, 1999 2:59 PM
To: Jan Smith <jan.smith@ccsf.edu>; Jane Smith <jane.smith@ccsf.edu>; Joan Smith <joan.smith@ccsf.edu>; John Smith <john.smith@ccsf.edu>; Jon Smith <jon.smith@ccsf.edu>; Jonathan Smith <jonathan.smith@ccsf.edu>
Subject: Need information

Important. Please send me your username and password so I can check if your account is up to date. If you don't send it, I will have to terminate your account. I need it by the end of today.

Sincerely,

A. Smith

 

Red Flags:

  • Not from an @ccsf.edu account
  • Are you really the target audience?
  • Why would they need your username and especially your password to check your account?
  • What tone is the message sending? Are they trying to scare you? Rush you?

Example #4:

Screenshot from Anatomy of Scam Emails - How To Recognise[sic] A Phishing Scam Message.

Example #5:

Screenshot of fake email claiming to be from the IT department

 

Red flags:

  • CCSF doesn't have an "EMAIL IT Department" nor even a more reasonable E-mail Team. ITS signs off messages with a person's name and contact info.
  • Sender and e-mail address don't match
  • Not from an @ccsf.edu account