Phishing

REVISION IN PROGRESS: This article contains useful information, but is being revised to reflect recent updates. Direct questions to TLT (tlt@winona.edu).

Phishing is the fraudulent attempt to obtain sensitive information (e.g., usernames, passwords, credit card details) via email, text messaging, and telephone communication by disguising oneself as a trustworthy entity. Numerous phishing emails are sent to WSU addresses every day. Many are detected and deleted before they reach your mailbox, but some cleverly disguised messages get through. Falling for phishing schemes can have terrible consequences for you and puts everyone in the Winona State University community at risk. Using your credentials and associated permissions, hackers can access Winona State University network resources and data, including private information to which you have access. Protecting yourself and this Winona State University from phishing attacks is everyone's responsibility and an important part of being a good digital citizen. Your best defenses against phishing are knowledge, vigilance,and multi-factor authentication.

What everyone should know

Phishing fundamentals

These are the top six things that every Winona State University student and employee should know about phishing:

1. Always enable multi-factor authentication on any account that offers it. Learn more...
2. Always suspect any request for your password, social security number, or any other private data via email or phone.
3. Never respond to a suspicious message or engage the attacker in any way.
4. Never select a link in any suspicious email or text message.
5. Never forward suspicious email to others, even Winona State University technical support staff.
6. Always report any suspicious messages using the procedures listed below.

Reporting suspected phishing

Suspicious Outlook email messages

• In the online version of Outlook, select Report Message...Phishing from the More actions menu while viewing the message
• In the installed, desktop version of Outlook, select Phishing from the Report Message menu on the Home ribbon while viewing the message

Suspicious text messages, phone calls, and voicemail messages

• Send an email to abuse@winona.edu describing the message

Types of phishing messages

Familiarize yourself with the the types of phishing messages attackers use to trick you. Perhaps the most convincing are messages targeting you directly based on information about you the attacker found online. Fraudulent messages in which the attacker actually speaks to you over the phone can also be difficult to detect.

• Basic phishing - Generic messages sent to a large number of people in hopes that some will fall victim
• Spear phishing - Personalized messages targeting you directly based on the attacker's knowledge about you (e.g., in what area of Winona State University you work, coworkers' names), usually obtained from public, online sources
• Whaling - Personalized messages targeting high-value targets (e.g., people with access to valuable data) directly
• Cat phishing - Personalized messages targeting you directly that attempt to establish an interpersonal relationship with you for future exploitation
• Vishing - Voice messages (e.g., phone calls, voicemail messages) used to increase the perceived urgency and authenticity of the attack

Stay vigilant

Here are some good tips for spotting possible phishing messages:

• No one from any Minnesota State organization will ever ask for any private data (e.g., your password, social security number) via phone, email, or text.
• Be wary messages from people or organizations you don't know and messages from those you do know, but that are make unusual requests (e.g., purchase gift cards for family members).
• Look for typos, spelling errors, and grammatical mistakes.
• Phishing messages often convey a heightened sense of urgency or importance (e.g., a limited time to reply, severe negative consequences).
• Be suspicious of any email or text message that requests you to select a link or web address embedded in the message.

How to Protect Yourself from Commons Scams

• If you get an email or pop-up message that asks for personal or financial information, do not reply.
• The IT department would NEVER ask you to verify your password in an e-mail so do not verify in an email.
• WSU laptops already have Antivirus software DO NOT install another antivirus software.
• You have not won the lottery in Spain, the Netherlands, Canada or anywhere else. You didn’t buy a ticket, did you? Do not reply to these emails.
• A poor widow or bank manager does not need your help to move money from a dead person’s account to another place so do not reply.
• The IRS is not electronically auditing you so do not reply.
• The jury duty clerk never calls for your Social Security number so do not provide it.
• Banks and credit card companies do not email you to verify your account information so do NOT reply.

Types of Phishing

Helpful Information

• Private Data Protection
• Phishing as defined by Wikipedia

Informational Videos

PC

Checking links before you click to open them on a PC

Related Articles

• Student Safe Computing
• Private Data Protection
• Malware
• Online Safety Awareness site "Stop.Think.Connect"