Topics Map > Service Catalog > Communications and collaboration services > Email
Phishing: Top Tips to Stay Safe Online
What is a phishing attack?
Phishing is a form of social engineering. Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization.
For example, an attacker may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts.
Phishing attacks may also appear to come from other types of organizations, such as charities. Attackers often take advantage of current events and certain times of the year, such as:
- Natural disasters (e.g., Hurricane Katrina, Indonesian tsunami)
- Epidemics and health scares (e.g., H1N1, COVID-19)
- Economic concerns (e.g., IRS scams)
- Major political elections
Tips to keep yourself safe from phishing scams
Don’t Always Trust the Display Name
Double check the email address ensuring it’s a valid address from a known person. Do not trust the display name just because it is a colleague or company you may be familiar with. It is very simple to spoof the display name that the message appears to be coming from. It is also common to use misspellings. (Example: microsofttearns.com)
Don’t Respond and Don’t Click
Don’t take action unless you’re 100% sure it is a legitimate email. We don’t want to burst your bubble, but you are not going to get a free item after filling out a survey, shippers don’t contact people out of the blue regarding delivery issues, and you don’t need to update your payment details. If you think it is legit, log into the vendors site without clicking on the link or give them a call and check.
Avoid Emails Demanding an Urgent Response
"Your Social Security Number Was Suspended!"
That sounds official but Buzzwords like “expiring” or “suspended” to create urgency are a red flag. It's common for attackers to prey on fear so whenever you see a message calling for immediate action take a moment, pause, and look carefully at the message. Are you sure it's real? Slow down and be safe.
Hover to Discover
Clicking on links that appear in random emails and text messages isn’t a smart move. Place your cursor over addresses and links without clicking to inspect for suspicious URLs. When in doubt, go directly to the source rather than clicking a potentially dangerous link.
Don’t Be Fooled by Short Links
Shortened URLs can be dangerous and are often used to hide phishing sites. Before clicking, make sure you know who made the shortened link and why. Before you create a shortened link, consider alternatives. And always remember, be cautious. Criminals use shortened links to hide phishing and malware links.
Pass Up That Irresistible Offer
If it sounds too good to be true, it probably is. Incredible offers and prizes are fake. Pretty much all the time. Even if it seems like a legitimate ad through email or on social media, make sure you know the company and do your research before you click. If it is a company you do business with, go directly to their website and check out their deals!
Don’t Be Immediately Pushed to a Website
Emails that immediately push you to a website should raise a red flag.
Phishing emails will employ deceptive tactics to create a sense of urgency for you to visit a website. It is essential to exercise caution and avoid replying or clicking on links. If you feel the message may be legitimate, you should independently verify it by contacting the sender through a trusted channel, such as their official website or phone number. By not being pushed to a website in a phishing email, you can protect yourself from potentially harmful cyber threats and safeguard your personal information.
Never Provide Any Personal information
If you’re asked to provide any personal information, delete the email immediately.
Cyber criminals often use phishing tactics, such as sending fake emails that appear legitimate, to trick individuals into divulging personal information such as usernames, passwords, social security numbers, or credit card information. It's crucial to remember that legitimate organizations or businesses typically do not request sensitive information via email.
Pay Attention to The Details
Ensure professional writing with accurate grammar as well as an email signature containing an individual’s name, title, and contact information.
It is essential to be vigilant and cautious when receiving emails with poor writing and not to click on any links or provide any personal information. Legitimate organizations or businesses typically communicate professionally, with accurate grammar and punctuation, and do not ask for sensitive information through email.
If You See Something, Say Something!
If you receive a suspicious email, it's essential to report it by using the report message option in Outlook (or any email program). Reporting suspicious emails can help prevent potential cyber-attacks and protect other individuals from falling prey to phishing scams.
If you clicked on a link in a suspicious email, report this immediately to the Technology Help Desk. You can also report it to the organization the email claims to be from.In addition you can forward phishing emails to firstname.lastname@example.org (an address used by the FTC) and to email@example.com (an address used by the Anti-Phishing Working Group, which includes ISPs, security vendors, financial institutions, and law enforcement agencies).
Within the top ribbon of Outlook, select: Report Message > Phishing. In the Outlook on the Web, choose Report > Report Phishing
Other Types of Scams
What is a Vishing Attack?
Vishing is the social engineering approach that leverages voice communication. This technique can be combined with other forms of social engineering that entice a victim to call a certain number and divulge sensitive information.
Advanced vishing attacks can take place completely over voice communications by exploiting Voice over Internet Protocol (VoIP) solutions and broadcasting services. VoIP easily allows caller identity (ID) to be spoofed, which can take advantage of the public’s misplaced trust in the security of phone services, especially landline services.
Landline communication cannot be intercepted without physical access to the line; however, this trait is not beneficial when communicating directly with a malicious actor.
Where do the phishing scams exist?
On the dark web, phishing is a very popular and effective way to try to steal data, lock data, delete data, gain access, or take over a computer. Phishing usually comes through email, but can come via text message or other collaboration apps like Teams, Discord, or LinkedIn.
What is a spear phish?
Spear phishing involves highly specialized attacks against specific targets or small groups of targets to collect information or gain access to systems.
For example, a cybercriminal may launch a spear phishing attack against a business to gain credentials to access a list of customers. From that attack, they may launch a phishing attack against the customers of the business. Since they have gained access to the network, the email they send may look even more authentic and because the recipient is already customer of the business, the email may more easily make it through filters and the recipient maybe more likely to open the email.
The cybercriminal can use even more devious social engineering efforts such as indicating there is an important technical update or new lower pricing to lure people.