Last week’s article mentioned that cyberattackers try to trick people into installing malicious software by disguising it as a useful update. In fact, hackers and scammers employ this kind of deception in all sorts of attacks, impersonating legitimate organizations or trusted people in the hopes that their targets won’t notice anything wrong. A common example of this sort of deceptive attack is phishing, where bad actors use fake emails or other text messages to trick you into clicking bad links, installing malware or replying with personal information.
As security technology continues to advance, sometimes the human element of security is the most vulnerable part of any organization. But with a little knowledge and a careful eye, you can make yourself harder to crack than any password.
The methods bad actors use to impersonate others can vary widely, but there are several common warning signs:
- Offers that are too good to be true, for instance: “You’ve inherited $300M, please send $49 for delivery.”
- Urgent, alarming or threatening language, such as: “Failure to comply within 48hrs might lead to permanent shut-down.”
- Poorly crafted writing with misspellings and bad grammar, like this: “We will play info we hold about you, so you ca be sure this is a genuine request.”
- Requests to send personal information, for instance: “To re-validate your account please provide your email address, user ID, and password.”
- Unexpected or unfamiliar attachments or hyperlinks, especially ones that don’t lead where they say they will. Most mail clients will let you verify where a hyperlink goes without clicking on it (specific methods vary among clients, but a common method is to hover your mouse pointer over the link).
- Strange or abrupt business requests, such as: “I’m stuck in a meeting but I need you to make an urgent payment to our client’s new bank account ASAP or they won’t deliver on time.”
- Bizarre or unprofessional subject lines, such as: “MESSAGE FROM C.E.O.” or “ATTN: MY DEAR FRIEND.”
- The sender’s email address doesn’t match the person or company it’s supposed to come from, like an email from an MSU Denver colleague where the sender’s address ends in ‘[email protected]’, instead of ‘@msudenver.edu’.
If you determine that you’ve received a phishing email, don’t worry — you’ve already done the hard part. Phishing emails can be safely deleted, but you should consider blocking the sender and reporting the phishing attempt, too. In particular, you should forward any suspicious emails in your MSU Denver email account to [email protected] so the security team can update the University’s filters and security systems.
You should never follow the instructions in any suspicious email until you’ve verified that it’s legitimate. If you suspect you’ve fallen victim to a phishing attempt in your MSU Denver email account, please contact MSU Denver Information Technology Services as soon as possible. If you are concerned about a personal account, Phishing.org provides a list of government and security-focused resources you can use to report attempted or successful phishing attacks.