Difference between revisions of "Phishing"

Latest revision as of 01:13, 1 April 2021

Phishing is the fraudulent attempt to obtain sensitive information (e.g., usernames, passwords, credit card details) via email, text messages, and telephone communication by disguising oneself as a trustworthy entity. Numerous phishing emails are sent to WSU addresses every day. Many are detected and deleted before they reach your mailbox, but some cleverly disguised messages get through. Falling for phishing schemes can have terrible consequences for you and puts the entire Winona State University community at risk. Using your credentials and associated permissions, attackers can access Winona State University network resources and data, including private information to which you have access. Protecting Winona State University from phishing attacks is everyone's responsibility and an important part of being a good digital citizen. Your best defenses against phishing are knowledge, vigilance, and multi-factor authentication.

What everyone should know

Phishing fundamentals

Always enable multi-factor authentication on any account that offers it. Learn more...
Always suspect any request for your password, social security number, or any other private data via email or phone.
Never respond to a suspicious message or engage the suspected attacker in any way.
Never select a link in any suspicious email or text message.
Never forward suspicious email to others, even Winona State University technical support staff.
Always report any suspicious messages using the procedures listed below.

Reporting suspected phishing

Suspicious Outlook email messages

In the online version of Outlook, select Report Message...Phishing from the More actions menu while viewing the message (Fig 1)
In the installed, desktop version of Outlook, select Phishing from the Report Message menu on the Home ribbon while viewing the message (Fig 2)

Suspicious text messages, phone calls, and voicemail messages

Send an email to abuse@winona.edu describing the message

Screenshots

Fig 1: In Outlook online, select More actions (1), Report Message (2), Phishing (3)
Fig 2: In Outlook desktop, select Report Message...Phishing

If you get phished

Contact the Technical Support Center (TechSupport@winona.edu, 507-457-5240, Somsen Hall 207) immediately
Change the passwords on all potentially affected accounts immediately

Types of phishing messages

Familiarize yourself with the the types of phishing messages attackers use to trick you. Perhaps the most convincing are messages targeting you directly based on information about you the attacker found online. Fraudulent messages in which the attacker actually speaks to you over the phone can also be difficult to detect.

Basic phishing - Generic messages sent to a large number of people in hopes that some will fall victim
Spear phishing - Personalized messages targeting you directly based on the attacker's knowledge about you (e.g., in what area of Winona State University you work, coworkers' names), usually obtained from public, online sources
Whaling - Personalized messages targeting high-value targets (e.g., people with access to valuable data) directly
Cat phishing - Personalized messages targeting you directly that attempt to establish an interpersonal relationship with you for future exploitation
Vishing - Voice messages (e.g., phone calls, voicemail messages) used to increase the perceived urgency and authenticity of the attack

Stay vigilant and safe

Here are some good tips for spotting possible phishing messages and protecting yourself from attack:

Enable multi-factor authentication on any account that offers it. Once enabled, even if attackers steal your password, they cannot access your account without a second form of verification.
No one from any Minnesota State organization will ever ask for any private data (e.g., your password, social security number) via phone, email, or text.
Be wary of messages from people or organizations you don't know and messages from those you do know, but that include unusual requests (e.g., purchase gift cards for family members).
Phishing messages often include typos, spelling errors, and grammatical mistakes.
Phishing messages often convey a heightened sense of urgency or importance (e.g., a limited time to reply, severe negative consequences).
Be suspicious of any email or text message that asks you to select a link or web address embedded in the message. Mouse over the link without selecting it to examine the web address or URL. If the address looks unusual in any way, report it.

More information

@@ Line 1: / Line 1: @@
-__NOTOC__
+{{TOC_Float_Right}}
-{{Survival Guide|Audience=Student}}
+'''Phishing''' is the fraudulent attempt to obtain sensitive information (e.g., usernames, passwords, credit card details) via email, text messages, and telephone communication by disguising oneself as a trustworthy entity. Numerous phishing emails are sent to WSU addresses every day. Many are detected and deleted before they reach your mailbox, but some cleverly disguised messages get through. Falling for phishing schemes can have terrible consequences for you and puts the entire {{WSU}} community at risk. Using your credentials and associated permissions, attackers can access {{WSU}} network resources and data, including private information to which you have access. Protecting {{WSU}} from phishing attacks is everyone's responsibility and an important part of being a good digital citizen. Your best defenses against phishing are knowledge, vigilance, and [[Multi-factor authentication for Office 365|multi-factor authentication]].
-==What is Phishing==
-[http://en.wikipedia.org/wiki/Phishing Phishing as defined by Wikipedia]
-==Information From WSU==
-[[File:Phisingl.jpg|100px| left]]
-PHISHING IS SERIOUS BUSINESS!  IT THREATENS YOUR SECURITY ALONG WITH THE SECURITY OF WINONA STATE UNIVERSITY.
+==What everyone should know==
+===Phishing fundamentals===
+#'''Always enable multi-factor authentication''' on any account that offers it. [[Multi-factor authentication for Office 365|Learn more...]]
+#'''Always suspect''' any request for your password, social security number, or any other private data via email or phone.
+#'''Never respond''' to a suspicious message or engage the suspected attacker in any way.
+#'''Never select''' a link in any suspicious email or text message.
+#'''Never forward''' suspicious email to others, even {{WSU}} technical support staff.
+#'''Always report''' any suspicious messages using the procedures listed below.
-The most common form of phishing is emails pretending to be from a legitimate retailer, bank, organization, or government agency.  The sender asks to “confirm” your personal information for some made-up reason: your account about to be closed, an order for something has been placed in your name, or your information has been lost because of a computer problem.   A phishing email that you may receive regarding Winona State is one which states that the WSU IT Department wants you to confirm your username and password.  Do NOT do this!  THE WSU IT DEPARTMENT WOULD NEVER ASK YOU TO REVEAL PRIVATE INFORMATION IN AN EMAIL
+===Reporting suspected phishing===
+====Suspicious Outlook email messages====
+*In the online version of Outlook, select '''Report Message...Phishing''' from the '''More actions''' menu while viewing the message (Fig 1)
+*In the installed, desktop version of Outlook, select '''Phishing''' from the '''Report Message''' menu on the Home ribbon while viewing the message (Fig 2)
+====Suspicious text messages, phone calls, and voicemail messages====
+*Send an email to [mailto:abuse@winona.edu abuse@winona.edu] describing the message
+====Screenshots====
+<gallery widths=300px heights=300px>
+File:Phishing report outlook online.jpg|Fig 1: In Outlook online, select More actions (1), Report Message (2), Phishing (3)
+File:Phishing report outlook desktop.jpg|Fig 2: In Outlook desktop, select Report Message...Phishing
+</gallery>
+===If you get phished===
+#Contact the {{TSC}} immediately
+#Change the passwords on all potentially affected accounts immediately
-===What Should You Do===
+===Types of phishing messages===
-*If you receive an email that asks for your PASSWORD, CREDIT CARD, or any other private data - '''DO NOT respond''' (email, web form, etc.).  Although these emails can (and usually do) look official and appear to be sent from a legitimate source, they are SCAMS. The WSU Information Technology Department would never ask you to reveal private information such as your password via email.  This is also true of your Bank, PayPal, e-Bay, etc.
+Familiarize yourself with the the types of phishing messages attackers use to trick you. Perhaps the most convincing are messages targeting you directly based on information about you the attacker found online. Fraudulent messages in which the attacker actually speaks to you over the phone can also be difficult to detect.
-*The safest way to protect yourself is to '''NEVER share your password(s) with anyone'''.
+*'''Basic phishing''' - Generic messages sent to a large number of people in hopes that some will fall victim
-*Don’t click on links within emails that ask for your personal information.
+*'''Spear phishing''' - Personalized messages targeting you directly based on the attacker's knowledge about you (e.g., in what area of {{WSU}} you work, coworkers' names), usually obtained from public, online sources
-*Never enter your personal information in a pop-up screen.
+*'''Whaling''' - Personalized messages targeting high-value targets (e.g., people with access to valuable data) directly
-*Report Phishing Emails
+*'''Cat phishing''' - Personalized messages targeting you directly that attempt to establish an interpersonal relationship with you for future exploitation
-*If you suspect or know that private data is being used or shared inappropriately, refer to the Minnesota State system [http://www.minnstate.edu/system/its/security/breachnotification/index.html Breach Notificaiton Standard]and contact your supervisor. If you have any questions or concerns you can contact [[TSC Phone Support]] at 507-457-5240.
+*'''Vishing''' - Voice messages (e.g., phone calls, voicemail messages) used to increase the perceived urgency and authenticity of the attack
-====Report Phishing Emails Please====
+==Stay vigilant and safe==
-To help the WSU IT Department identify security threats please forward any emails that ask for your password to '''abuse@winona.edu.'''
+Here are some good tips for spotting possible phishing messages and protecting yourself from attack:
+*Enable multi-factor authentication on any account that offers it. Once enabled, even if attackers steal your password, they cannot access your account without a second form of verification.
+*No one from any Minnesota State organization will ever ask for any private data (e.g., your password, social security number) via phone, email, or text.
+*Be wary of messages from people or organizations you don't know and messages from those you do know, but that include unusual requests (e.g., purchase gift cards for family members).
+*Phishing messages often include typos, spelling errors, and grammatical mistakes.
+*Phishing messages often convey a heightened sense of urgency or importance (e.g., a limited time to reply, severe negative consequences).
+*Be suspicious of any email or text message that asks you to select a link or web address embedded in the message. Mouse over the link without selecting it to examine the web address or URL. If the address looks unusual in any way, report it.
-==Best Practices==
-The safest way to protect yourself is to NEVER share your password(s) with anyone.
-==How to Protect Yourself from Commons Scams==
-*If you get an email or pop-up message that asks for personal or financial information, do not reply.
-*The IT department would NEVER ask you to verify your password in an e-mail so do not verify in an email.
-*WSU laptops already have Antivirus software DO NOT install another antivirus software.
-*You have not won the lottery in Spain, the Netherlands, Canada or anywhere else. You didn’t buy a ticket, did you?  Do not reply to these emails.
-*A poor widow or bank manager does not need your help to move money from a dead person’s account to another place so do not reply.
-*The IRS is not electronically auditing you so do not reply.
-*The jury duty clerk never calls for your Social Security number so do not provide it.
-*Banks and credit card companies do not email you to verify your account information so do NOT reply.
-==Helpful Information==
-[[Private Data Protection]]
-==Informational Videos==
-==='''MAC'''===
-'''Checking links before you click to open them on a MAC'''
-{{#widget:YouTube|id=wApz5Hr8wTs}}
-==='''PC'''===
-'''Checking links before you click to open them on a PC'''
 {{#widget:YouTube|id=fFNZYio5x68}}
-==Related Articles==
+==More information==
+*[[Multi-factor authentication for Office 365]]
+*[http://en.wikipedia.org/wiki/Phishing Phishing as defined by Wikipedia]
 *[[Student Safe Computing]]
 *[[Private Data Protection]]
@@ Line 60: / Line 54: @@
 *[https://www.stopthinkconnect.org/ Online Safety Awareness site "Stop.Think.Connect"]
-[[category: Internet]][[category: Security]][[Category:YouTube]]
+[[Category:Security]][[Category:Microsoft 365]][[Category:MFA]]