casits-banner.png

You have reached the home of the College of Arts and Sciences Information and Technology Support Team. Our team provides as needed support for a number of departments, programs and units within the College of Arts and Sciences.

If you have a computer or technology request needing immediate attention, go to:

Request Support


Email SPAM and Phishing

Possible Affected Systems: Any University Account
Cyber-Crimes.jpg

FSU faculty, staff and students are receiving more and more sophisticated, targeted email phishing attempts.  Most current phishing email look quite convincing until you look at the details of the message; who it came from, what are they asking for, details that are incorrect (wrong address, phone number, name, etc.), where they want to send you (links in the message to odd URLs), etc. We continue to see long emails detailing changes to your account which are false or even short message with spoofed sender information (name on the ‘From’ looks correct, but when you hover over the ‘From’ it shows an incorrect or odd email address).

Digitally signed files are a part of many FSU business processes, and are often passed around via automated emails. It is also a clever method used by criminals to hide malicious payloads.  This method of phishing has become more common because the emails don't always look like they came from a human anyway, so those targeted are.

For example, here is a fake DocuSign email:

The malicious part of this email is following the link:

Reviewing information found in the email's FROM and TO makes this very suspicious - it was sent from a person I have no contact with, from a @my.fsu.edu (which is a student email) and the TO is completely missing:

Seeing an email, like this above, please feel free to contact us and have us review the message - if you feel it might be real.

Be alert and definitely be suspicious of emails requesting account information or requiring you to immediately pass privileged information back to the sender or through a link (URL).

Phishing emails are crafted to appear as though they have been sent from a legitimate organization or known individual. These emails often entice users to click on a link or open an attachment or URL link containing malicious code. After the code is run, your computer may become infected with malware.  In some cases, the user may be directed to a site that is tailored to look like valid University login systems - make sure to review the URL in the browser.

A commitment to cyber hygiene and best practices is critical to protecting organizations and users from cyber threats, including malware.

In advice specific to any Phishing threat, users should:

  • Be careful when clicking directly on links in emails, even if the sender appears to be known; attempt to verify web addresses independently (e.g., contact your organization's helpdesk or search the Internet for the main website of the organization or topic mentioned in the email).
  • Exercise caution when opening email attachments. Be particularly wary of compressed or ZIP file attachments.
  • Follow best practices for Server Message Block (SMB) and update to the latest version immediately. (See US-CERT’s SMBv1 Current Activity for more information.)

For general best practices on patching and phishing, users should:

  • Ensure that your applications and operating system has been patched with the latest updates. Vulnerable applications and operating systems are the target of most attacks. (See Understanding Patches.)
  • Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
  • Avoid providing personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.
  • Avoid revealing personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
  • Be cautious about sending sensitive information over the Internet before checking a website's security. (See Protecting Your Privacy.)
  • Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
  • If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from anti-phishing groups such as the APWG.
  • Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic. (See Understanding FirewallsUnderstanding Anti-Virus Software, and Reducing Spam for additional information.)

If you believe that you have been a victim of a phishing attack or ransomware infection, immediately report the incident to our College IT Support Team (Request Support page) or to ITS' Service Center (https://help.fsu.edu/).

Legacy Sort
8
Legacy Priority
0
title-inside title-centered
2