Phishing attacks steal personal information by tricking you into doing something, like clicking a link or entering your username and password. Phishing comes in many forms: emails, phone calls, website downloads. These phishing attempts may look like they are from Florida State University—often IT Services or the Service Desk—but don’t fall for the tricks! Follow these tips to help protect yourself from phishing attacks.

REMEMBER! FSU will never ask you for your FSUID username and password in an email or phone call.

Reporting Phishing Attempts

If you have been targeted by a phishing attack at FSU:

• Call the ITS Service Desk to verify whether or not an email claiming to be from FSU is legitimate: 850-644-4357
• Forward the email to abuse@fsu.edu
• If you believe your account has been compromised, follow these instructions: Steps to Secure a Compromised FSUID Account

Phishing Warning Signs

Display Name Spoofing
This highly targeted spam attack passes through mail-filtering solutions. Unlike other spam emails, it involves mail sent from a registered email address on a valid domain (EG: spamuser@gmail.com), but with the display name set to a key contact or partner of a user within the recipient organization.

Username and password request
Again, FSU or any legitimate company—banks, insurance companies, social media accounts, etc.—will never ask for your username and password in an email or phone call. NEVER reply to an email or phone call with your username and password, and NEVER enter your password on a site you accessed via a link in an email.

Spelling erors and ungood grammer
Most cybercriminals did not get an “A” in English class. At FSU and other reputable companies, communications are proofed by professional copy editors and communication specialists to make sure everything is top quality before it goes to press. If you see ghastly spelling errors or cringe-worthy grammar, it’s likely a phishing message.

Suspicious links
A link. That’s usually where it all starts. Always stop and think before clicking email and website links. Keep in mind that you can make anything a hyperlink. Even though the text might say www.fsu.edu, there is no guarantee that you’ll end up on that site. Hover over or long tap a link to display the true URL.

Threats
Cybercriminals often try to bully you into taking action by threatening you will lose something if you don’t respond right away. Common threats include “your email account will be closed” or “your device is infected.” The goal of cybercriminals is to make the situation seem dire so that the victim—you—feels obligated to take action and provide personal information. In real life, ITS is really quite nice, and we will never require you to log in to keep your account.

Spoofed websites
Does something look a bit off? If you clicked a link in an email, pay attention to the page you landed on. Scam artists often spoof trusted websites, making their phony site look very similar to the real thing. Pay particular attention to the URL; if it is anything other than expected, close the page immediately.

Whaling
The Florida State University Information Technology Services team has received a number of reports from faculty and staff who have been recipients of a new twist on an old e-mail scam. You may have heard of phishing before, but these scams are referred to as whaling. They use a “big fish” to reel you in. A whaling attack is a method used by cybercriminals to masquerade as a senior player at an organization and directly target senior or other important individuals at an organization, with the aim of stealing money or sensitive information or gaining access to their computer systems for criminal purposes. The scam goes like this.

Phishing Example

Here’s an example of what a phishing email might look like.

Tips to Avoid Phishing Scams

• Think before clicking email and website links and never click a link that looks suspicious.
• Before clicking, hover over or long tap a link to display the true URL and see if it is linking to a reputable website.
• Instead of clicking, type website addresses in your browser to access sites directly.
• Be skeptical of messages that require “immediate action” or threaten that you will lose something.
• Do not open attachments you aren’t expecting—especially ZIP files—and NEVER run .exe files.
• Avoid providing personal information over the phone, especially from an unsolicited call.
• Never send credit card or other sensitive information via email.
• Use common sense. If it looks like spam, then it probably is spam.

Links

Check out the following resources for more info and tips on how to avoid phishing scams.

How to Spot a Phish

Phishing Emails and You

Don’t Take the Bait

Phishing (SANS Ouch! Newsletter)

Phishing IQ Test

How to Spot a Phish Infographic

Phone Phishing Infographic