Phishing

What is phishing:

phish·ing  noun \ˈfi-shiŋ\  :  Phishing is an email scam that attempts to obtain sensitive information from unsuspecting users. 

    
    
Loading the player ...

Phishing Video Transcript

How to spot phishing:

A phishing email will attempt to trick you in one of four ways:

1.  The Old Fashion Scam:  In this type of phishing message, the bad guy will typically just make a direct request for personal information or money.  The bad guy will ask that you reply to the email and will then start a dialog with you in an attempt to gain your trust.  The bad guy will have a very detailed cover story and will constantly press you to provide more information or to send the bad guy money.

2.  A Fake Link:  The phishing message may contain a link which takes you to a fake website or which downloads a virus on to your computer.   To avoid this, you should always stop and think before you click on a link.  Did you expect to receive the message in the first place?  Hover your mouse over the link and verify that it is taking you where you want to go.  Links can be deceiving. Hover your mouse over the following link and see that the destination is not what is described by the link text:  http://www.gatech.edu  If you are viewing the link on a smartphone, holding your thumb on the link should reveal the actual destination of the link.  Please note that 99.5% of all legitimate Georgia Tech websites will have a domain that contains "gatech.edu"  (e.g. https://passport.gatech.edu).

3.  A Fake Website:  If you received a phishing email with a fake link, you may have clicked the link and it took you to a website asking for your information.  To learn how to identify a legitimate website, please read the following: https://faq.oit.gatech.edu/content/how-identify-legitimate-website.  If you receive an email that you think wants you to go to a fake website, one strategy is to manually go to your web browser and manually type in the actual URL of the website you are looking for.  For example, if you receive an email from what appears to be your bank asking you to click a link and enter your login and password, instead of clicking the link, go to your browser and manually navigate to your banks website.  You can also call someone to verify if the message is real. Following the previous example you can call your bank directly and ask if they actually need to verify your information.

4.  A Virus Attachment:  If you receive a phishing email with an attachment, the attachment most likely contains a virus which will then either send your information to the bad guys, or allow the bad guys to access your computer.  Stop and think before you open any attachments. Did you expect to receive the attachment from the sender?  Often times the bad guys will pretend to be people you know and trust in order to get you to trust the attachment.  If the email and attachment is from an unknown source, delete the email immediately.  If the email and attachment appear to be from a trusted source, but not expected, pick up the phone and call the person to verify if they actually sent you the message.

5.  Fake Contact Information:  If you receive a phishing message which contains a phone number asking you to call if you have questions, this could also be a scam designed to further gain your trust.  Don't trust the contact information contained in the email.  Navigate to the actual website of the organization in question and obtain their contact information directly from their website. 

 

The biggest thing to remember is that you should never share your login and password with anyone... for any reason... ever.

 

Reporting Phishing:

If you receive a message which you suspect may be a phishing attack.  Please forward the message as an attachment to phish@gatech.edu.  For more information on how to forward a message as an attachment, please refer to the following page:  https://faq.oit.gatech.edu/content/how-do-i-forward-email-attachment
 

Phishing Education & Awareness

The CyberSecurity team offers a fifteen minute training and awareness session which can be delivered to any campus group.  The training is intended to educate users on what phishing is, and how to spot it.  The CyberSecurity team can also proactively phish a campus group (with approval), as part of the training session.  Typically the training will be delivered, then several weeks after the training Information Security will attempt to phish the trained users.  The detailed results of this activity are kept private as it is not intended to be a "gotcha" activity, rather the intent is to solidify the awareness of phishing and the techniques for identifying phishing.  For more information contact Jason Belford or Jimmy Lummis.