Phishing

From WSU Technology Knowledge Base
Jump to navigation Jump to search
Caution.JPG REVISION IN PROGRESS: This article contains useful information, but is being revised to reflect recent updates. Direct questions to TLT (tlt@winona.edu).

Phishing is the fraudulent attempt to obtain sensitive information (e.g., usernames, passwords, credit card details) via email, text messaging, and telephone communication by disguising oneself as a trustworthy entity. Numerous phishing emails are sent to WSU addresses every day. Many are detected and deleted before they reach your mailbox, but some cleverly disguised messages get through. Falling for phishing schemes can have terrible consequences for you and puts everyone in the Winona State University community at risk. Using your credentials and associated permissions, hackers can access Winona State University network resources and data, including private information to which you have access. Protecting yourself and this Winona State University from phishing attacks is everyone's responsibility and an important part of being a good digital citizen. Your best defenses against phishing are knowledge and vigilance.

What everyone should know

Phishing fundamentals

These are the top six things that every Winona State University student and employee should know about phishing:

  1. Always enable multi-factor authentication on any account that offers it. Learn more...
  2. Always suspect any request for your password, social security number, or any other private data via email or phone.
  3. Never respond to a suspicious message or engage the attacker in any way.
  4. Never select a link in any suspicious email or text message.
  5. Never forward suspicious email to others, even Winona State University technical support staff.
  6. Always report any suspicious messages using the procedures listed below.

Report phishing

Suspicious Outlook email messages

  • In the online version of Outlook, select Phishing from the Junk menu while viewing the message
  • In the installed, desktop version of Outlook, select Phishing from the Report Message menu on the Home ribbon while viewing the message

Suspicious text messages, phone calls, and voicemail messages

Types of phishing

Attackers use a variety of phishing methods when attempting to trick you. Perhaps the most convincing are messages targeting you directly based on information about you the attacker found online. Fraudulent messages in which the attacker actually speaks to you over the phone can also be difficult to detect.

  • Basic phishing - Generic messages sent to a large number of people in hopes that some will fall victim
  • Spear phishing - Personalized messages targeting you directly based on the attacker's knowledge about you (e.g., in what area of Winona State University you work, coworkers' names), usually obtained from public, online sources
  • Whaling - Personalized messages targeting high-value targets (e.g., people with access to valuable data) directly
  • Cat phishing - Personalized messages targeting you directly that attempt to establish an interpersonal relationship with you for future exploitation
  • Vishing - Voice messages (e.g., phone calls, voicemail messages) used to increase the perceived urgency and authenticity of the attack

Stay vigilant

Spotting common phishing tricks

  • No one from any Minnesota State organization will ever ask for any private data (e.g., your password, social security number) via phone, email, or text.
  • A request to select a link in an email message.
  • A request to provide your password, social security number, or other private information. The attacker might ask you to send the information directly or enter it into an online form.
  • Heightened urgency and importance
  • Spelling errors and typos


The most common form of phishing is emails pretending to be from a legitimate retailer, bank, organization, or government agency. The sender asks to “confirm” your personal information for some made-up reason: your account about to be closed, an order for something has been placed in your name, or your information has been lost because of a computer problem. A phishing email that you may receive regarding Winona State is one which states that the WSU IT Department wants you to confirm your username and password. Do NOT do this! THE WSU IT DEPARTMENT WOULD NEVER ASK YOU TO REVEAL PRIVATE INFORMATION IN AN EMAIL

Report all phishing attacks

What Should You Do

  • If you receive an email that asks for your PASSWORD, CREDIT CARD, or any other private data - DO NOT respond (email, web form, etc.).  Although these emails can (and usually do) look official and appear to be sent from a legitimate source, they are SCAMS. The WSU Information Technology Department would never ask you to reveal private information such as your password via email.  This is also true of your Bank, PayPal, e-Bay, etc.
  • The safest way to protect yourself is to NEVER share your password(s) with anyone.
  • Don’t click on links within emails that ask for your personal information.
  • Never enter your personal information in a pop-up screen.
  • Report Phishing Emails
  • If you suspect or know that private data is being used or shared inappropriately, refer to the Minnesota State system Breach Notificaiton Standardand contact your supervisor. If you have any questions or concerns you can contact TSC Phone Support at 507-457-5240.

Report Phishing Emails Please

To help the WSU IT Department identify security threats please forward any emails that ask for your password to abuse@winona.edu.

Best Practices

The safest way to protect yourself is to NEVER share your password(s) with anyone.

How to Protect Yourself from Commons Scams

  • If you get an email or pop-up message that asks for personal or financial information, do not reply.
  • The IT department would NEVER ask you to verify your password in an e-mail so do not verify in an email.
  • WSU laptops already have Antivirus software DO NOT install another antivirus software.
  • You have not won the lottery in Spain, the Netherlands, Canada or anywhere else. You didn’t buy a ticket, did you? Do not reply to these emails.
  • A poor widow or bank manager does not need your help to move money from a dead person’s account to another place so do not reply.
  • The IRS is not electronically auditing you so do not reply.
  • The jury duty clerk never calls for your Social Security number so do not provide it.
  • Banks and credit card companies do not email you to verify your account information so do NOT reply.

Types of Phishing

Helpful Information


Informational Videos

PC

Checking links before you click to open them on a PC

Related Articles

Retrieved from "https://learn.winona.edu/w/index.php?title=Phishing&oldid=60762"