My company sent this message out to employees yesterday and I thought it was such a good summary of how to protect yourself against phishing that I should share it. I’ve been very lucky over the years to avoid viruses and almost all malware and phishing. A lot of that is due to me being ridiculously skeptical about anything on the internet :-) Almost all of my less skeptical friends have fallen victim to something or another. I wish I could remember who first told me this, but I know it has stuck in my head for years:
NEVER EVER EVER (!!) CLICK ON A LINK IN AN EMAIL TO A SITE WHICH REQUIRES YOU SIGN IN WITH A UNIQUE USERNAME OR PASSWORD!!
Even if I know I am expecting an email from a company, I still use my bookmarked link to the company or else just type in their website address directly. I also do the hover test shown below. Anyhow – I hope this helps you keep your systems and emails clear of troublemakers!
Due to a recent increase in malicious phishing emails sent to employees, please review the following best practices guide.
The word “phishing” is made up of the words Password and Fishing. Phishing emails are attempts to gather your usernames and passwords in order to gain access to your email, your personal information or even work related documents.
· Phishing emails typically direct you to a fake web page that will ask you to submit your username and password or other personal information.
· These fake websites are often very convincing, using correct logos, colors and writing.
· The goal of the attackers is to get the user to enter their usernames, passwords or other identifying information into a web form.
How can you determine whether an email is legitimate or a phishing attempt?
· It is highly unlikely that any reputable organization will every ask you for your personal information by email.
In phishing emails you will most likely see the following:
o Unsolicited requests for information, of any kind, should be considered a danger sign.
o Real logos or photos might be used.
o Will often use words like “Official” and “Urgent” to suggest it is authentic.
o Often such emails will have poor spelling and grammar.
o The sender’s name and email address may not match. In the example below, a recent phishing email suggested it was from National University, but the email address and the mailto: address did not match.
From: National University <firstname.lastname@example.org> [mailto:email@example.com]
o Before clicking on any links, verify that the link’s name matches its web address. In the phishing example below, notice that when you hover over the RESOLVE link, the web address starts with http://fuwu.com.hk/. This is not a valid NUS web site.
What should you do next?
· If you are not a customer of the site, delete the email immediately. Do not click on any included web links or reply to the email.
· If you are a customer and you are not sure if the email is legitimate,
o Contact the person or organization by phone and ask if the email is official.
o Instead of clicking on any included web links, visit the organization’s official website by typing in the official web address into your browser’s address bar.
If at any point in time you feel that you have fallen victim to a phishing attempt:
· Change your password immediately.
· If the email looks as if it was sent from another company, contact that company by phone to report the incident.