Beyond Phishing

Share on

During this unprecedented time of most everyone working remotely, I would like to refresh your memory of known attacks and add a couple more to look out for. It is crucial to remember these things, even while working remotely. This information can help you at work and at home!

Phishing

  • A phishing attack is one where a hacker will use information that looks like it is from a reputable company in an attempt to collect personal information from the recipients.
  • Legitimate logos will be used and links within the email look correct.
  • Always hover over the links before clicking and if it changes to a different URL, don’t click it.
  • Check for bad grammar, spelling, and formatting.
  • Report suspected phishing (instructions) to OIT Abuse.

Spear Phishing

  • In the past year, we experienced quite a few spear phishing attacks, when the emails looked like they were coming from your supervisor.
  • The hacker does research on social media or web sites to learn who’s who in the organization, and they will target employees by gaining your trust, even asking about a project you are working on.
  • Remember the hacker knows a lot about you because of the research.
  • Be careful when you post to social media because the hacker may notice when the boss is at a conference, then send the email.
  • Remember that NO ONE at the Institute will ever ask you to go purchase gift cards on their behalf by sending an email. (If they do, they may be breaking policy.)
  • Report suspected spear phishing (instructions) to OIT Abuse.

Vishing

  • Vishing is a phishing attack, but over the telephone.
  • If you receive calls from someone claiming to be a vendor and they start asking questions about your project, the network, research, etc., steer clear if you have not initiated the call.
  • Be careful not to use the word “yes,” during the call, as some phone calls are  recorded and can be used against you by manipulating words said during the recording.
  • Don’t trust the caller ID, as the vishing scammer spoof numbers to look like they are legitimate.
  • It is best to hang up and register to be on The National Do Not Call Registry.
  • Once you are on the Do Not Call Registry for 31 days, you can report any unwanted call to the FTC at the above link.

Smishing

  • Smishing is a phishing attack via text messaging (SMS).
  • The smishing scammer will send a text to alert you about a supposed fraudulent activity.
  • They will ask you for personal information like an account, PIN, or password.
  • Don’t click on any link in a text message that you did not ask for or expect.
  • Don’t reply to these text messages.
  • File a complaint with the FCC.

Tips for any kind of suspicious contact:

  • The Institute, the HelpDesk, and the University will never ask for your personal information via text, email, etc.
  • Your boss will never ask you to purchase gift cards and email him the codes.
  • Your bank or any other financial institution will never ask for account information, including account number, PIN number, password, etc., via email, phone call that you didn’t initiate, or text message.
  • When in doubt about what you have been asked to provide in any of these situations, initiate your own call to whomever the scammer is portraying and ask them directly.
  • Be extra vigilant during times of crisis, such as COVID-19, as scammers absolutely love to prey on people in a time of confusion and fear.

If you ever have doubts, questions, concerns, or comments, please don’t hesitate to let me know. You can email me or call my cell at any time. The Institute’s data and employees are why I am here!

Please stay safe and healthy!

Sandy