Topics Map > Service Catalog > Communications and collaboration services > Email
Phishing: Top Tips to Stay Safe Online
Top tips to prevent malicious actors from gathering your personal information through communication channels.
Tips to keep yourself safe from phishing scams
What is a phishing attack?
Phishing is a form of social engineering. Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization.
For example, an attacker may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts.
Phishing attacks may also appear to come from other types of organizations, such as charities. Attackers often take advantage of current events and certain times of the year, such as:
- Natural disasters (e.g., Hurricane Katrina, Indonesian tsunami)
- Epidemics and health scares (e.g., H1N1, COVID-19)
- Economic concerns (e.g., IRS scams)
- Major political elections
If you find a suspicious email in your inbox, use the Report Message in Outlook and the Junk option in the Outlook Web app to report the message. The email will then be removed from your inbox and a report is sent to both Microsoft and UW Stout. This report gives us important information to help stop future phishing emails.
You can also inform the company or person that was impersonated about the phishing scheme.
Forward phishing emails to firstname.lastname@example.org (an address used by the FTC) and to email@example.com (an address used by the Anti-Phishing Working Group, which includes ISPs, security vendors, financial institutions, and law enforcement agencies) and report it to the FTC at FTC.gov/Complaint.
Phone a friend
Talking to a colleague might help you figure out if the request is real or a phishing attempt.
Verify to clarify
If you receive an email or text message requesting you to confirm or submit financial information, your login information, or any other sensitive personal information by clicking a link, don’t. Immediately contact the organization (not via the contact information contained in the email) to verify the request. You can also visit the company’s legitimate website and log into your account to see if you have any messages or action items.
When in doubt, throw it out
Links in email, tweets, texts, posts, social media messages and online advertising are an easy way for cybercriminals to get to you. Be wary of clicking on links or downloading anything that comes from a stranger or that you were not expecting. Essentially, don’t trust links.
Remember what you learned about not accepting candy from strangers? Apply that to the online world as well. Do not click links in emails, text messages, chat boxes, etc. from people you do not know--and be suspicious of links sent from those you know as well.
- Is the sender asking you to do something they wouldn’t normally ask you to do, such as bypass your company policy?
- Does it seem weird the credit card company is asking you to verify your credit card number or SSN? (yes--they have that information already).
- Are there misspelled words or unusual phrases?
- Is there a sense of urgency--requesting you click now or act immediately?
These are often context clues in the body of the email or text hinting that something is not right.
Sometimes the call to action in an email can trick you--such as “unsubscribe” or “reply to stop receiving these messages.” It is better to just delete the email or mark it as spam if it is spam.
Hover to Discover
You can put your cursor on top of the link (be careful not to click!). When you do that, the true path will appear. Does the destination of the link align with what you would think? If it doesn’t look legitimate, do not click. Immediately delete the email.
What is a Vishing Attack?
Vishing is the social engineering approach that leverages voice communication. This technique can be combined with other forms of social engineering that entice a victim to call a certain number and divulge sensitive information.
Advanced vishing attacks can take place completely over voice communications by exploiting Voice over Internet Protocol (VoIP) solutions and broadcasting services. VoIP easily allows caller identity (ID) to be spoofed, which can take advantage of the public’s misplaced trust in the security of phone services, especially landline services.
Landline communication cannot be intercepted without physical access to the line; however, this trait is not beneficial when communicating directly with a malicious actor.
Where do the phishing scams exist?
On the dark web, phishing is a very popular and effective way to try to steal data, lock data, delete data, gain access, or take over a computer. Phishing usually comes through email, but can come via text message or other collaboration apps like Teams, Discord, or LinkedIn.
What is a spear phish?
Spear phishing involves highly specialized attacks against specific targets or small groups of targets to collect information or gain access to systems.
For example, a cybercriminal may launch a spear phishing attack against a business to gain credentials to access a list of customers. From that attack, they may launch a phishing attack against the customers of the business. Since they have gained access to the network, the email they send may look even more authentic and because the recipient is already customer of the business, the email may more easily make it through filters and the recipient maybe more likely to open the email.
The cybercriminal can use even more devious social engineering efforts such as indicating there is an important technical update or new lower pricing to lure people.