Information Technology A to Z Index IT Service Support Request

Phishing Basics

Phishing is when a hacker tricks you into handing over your personal information like credit card numbers, usernames and passwords, social security numbers, etc.  Commonly they use “spoofed” emails, fraudulent websites, phone service calls, or phony text messages to full you.  Phishing is a type of social engineering attack to gain information about a target.

Best Practices

  • Never give out or enter sensitive or personal information unless you initiated the contact
  • Look for obvious signs of phishing, but don’t rely on them
  • Think before you click.  If something sounds unusual, don’t click it.  If it sounds too urgent, don’t click on it.
  • Find the official phone number or website to contact the legitimate company or person to follow up on the message
  • Signs an email/phone call/text is phishing
  • Many phishing attempts will have obvious signs they are not legitimate, but others will have very little indication that they are trying to steal your information until they ask for it.

Signs to look for

  • Asking for your personal information or taking you to a website that asks you to sign in or enter other personal information
  • Urgent call to action, often with serious consequences (e.g., “We will need you to confirm that your account is in use, click here in order to keep your account active” or “Reset your quota using this link and avoid losing incoming messages”)
  • Messages containing poor grammar and typos
  • Messages coming from an unusual name or email address (e.g., a message may appear to come from ekupresident[at]gmail.com)
  • Website addresses that don’t make sense (e.g., a link takes you to “ekuu.weebly.com’” instead of “eku.edu”)
  • A high-interest message that provides a little context as to what they are about (e.g., “I really thought you’d enjoy this movie!  Openmenow.exe”)
  • Information can be mimicked and spoofed and accounts can be compromised and a sophisticated attack can look like a legitimate message.

Before You Click

Use common sense and being cautious can save you from most attacks.  For example:

You get an email from the EKU president with just this one question in the body of the message “Are you available?”

Think: Why would they send you something so unexpectedly and with no explanation?  That’s because they probably aren’t.

You see a Facebook post that a “Local” or “Well-Known Company” is giving away a $100 gift card, you just have to visit visitmeforgiftcard[dot]godaddy[dot]com to sign up

Think: Why would they use such an unusual web address instead of their official website?  They wouldn’t, and the site is more than likely fake.

You get an urgent email from EKU IT that they are about to shut down your email account if you don’t login to a link they provide and give them your username and password.

Think: Why would IT need you to provide that? They are IT and have your username and contact information so if they need you specifically, why wouldn’t they just call?

You get a phone call from someone claiming to be from your credit card company, stating that there has been a suspicious charge on your account and that they need your name, address, and credit card number or they will freeze the account.

Think: How do you know it is a legitimate call from your credit card company?  Phone numbers are easily spoofed too!  Why do they need all that information?  Shouldn’t they have it?  How else can you verify it is them calling (sign into their website, find an old statement and call that number or the one on the back of the card)?  If they are your credit card company, they won’t mind you waiting to call them back at their official phone number.

If you get phished

First, if you’re unsure about any email, you can forward it to EKU IT at spam@eku.edu. We look at every email we receive and will let you know if it is legitimate.

However, if you become a victim:

  • If your personal information has been compromised, change any compromised account passwords, contact financial institutions, etc.  You may want to consider contacting a credit agency to put a suspicious activity alert on your credit profile.
  • If you believe your university information may have been compromised, contact the IT Service Desk immediately at 1-859-622-3000

External Links

Phishing and spearphishing

IRS: Report Phishing and Online Scams

What is Phishing? The Ultimate Guide to Phishing Emails and Scams

 

Contact Information

IT Service Desk
support@eku.edu
it.eku.edu
859-622-3000