CASITS

 How to Avoid Phishing Scams

Phishing (pronounced “fishing”) is the fraudulent attempt to obtain sensitive information or data, such as usernames, passwords and credit card details or other sensitive details, by impersonating oneself as a trustworthy entity in a digital communication. Typically carried out by email spoofing, instant messaging, and text messaging, phishing often directs users to enter personal information at a fake website which matches the look and feel of the legitimate site.  Wikipedia

Common Phishing Tactics

Phishing is by far the most common form of cyber-crime reported to the FBI’s Internet Crime Complaint Center (IC3). Common phishing tactics include:

• Messages warning of an impending de-activation or closure of an account, and a link to a website to ‘verify’ your account – which actually steals your credentials. Sometimes they will make the scary claim that your account was compromised and you must prove your identity.
• Offer of a job to the recipient. Usually this is an unsolicited job that offers unrealistically high pay, and with no interview or a few perfunctory questions by email. Eventually, the criminal will either ask for personal information “for payroll purposes” which is actually used for identity theft. Another common tactic will be to ask the new ‘employee’ to purchase some goods – sometimes a list of ‘supplies’ needed for the job or gift cards, with a promise of being reimbursed.
• Urgent messages claiming to be from an executive or other important person asking for a time-sensitive favor, which often involves buying gift-cards and replying with the gift card numbers or photos of the cards.
• Messages claiming to be from a store or common service (such as Netflix) pretending that payment was denied for a recent purchase, and directing you to a (fake) website to have you re-enter your credit card information.
• A forged message from a bank alerting you to an account update you need to perform, or that a fraudulent transaction was suspected and you need to login immediately to resolve it.
• Messages claiming to be from the IRS, the FBI, or other government agencies. Sometimes they get your hopes up and pretend that you have a big tax refund waiting, and sometimes they accuse you of committing some crime or threaten you with penalties.

Protective Measures - Don't get hooked

Learn to recognize phishing, they often…

• Attempt to build credibility by spoofing a real company or university. Often, the messages are laughably bad, but many are incredibly believable facsimiles of real messages. The most dangerous are personalized specifically for you, referred to as spear phishing, using knowledge about you or your work.
• Create a false urgency requring a quick response – such as warning that your account will be closed.
• Insist on a call to action – urge you to click a link or reply with information.
• Do not address you by name or include other information specific only to you.

Use common sense when giving out personal information

• Be suspicious by default.
• Check the email for fake web links or fake web addresses.
• Never give out account or personal information by email.
• Remember, FSU will never ask you for your password. Only enter your password into the official FSU login page: my.fsu.edu

Verify the information reported in the e-mail

• If in doubt, call the FSU Service Center at 850-644-4357 to validate the message.
• If the message claims to be from someone at FSU, look the sender up in the FSU Directory and call them using the number listed, or respond to the official email address.

Anatomy of a Phish - "Phish Tank!"

Don’t take the bait! Below is a list of known phishing attacks targeting FSU. If you receive one of these emails, do not respond; delete the message from your inbox. To see some of the most recent Phishing emails here at FSU, go to the Phish Tank:

PHISH TANK

Can You Spot Phishing?

Take this phishing quiz from Google, which presents realistic examples of phishing messages and authentic messages for you to choose from. It will also point out clues to help you identify fraudulent messages.

Phishing With Google

Report Phishing at FSU - show us the headers

If you receive a phishing message that targets you as an FSU staff, faculty, or student, you should check the FSU IT Phish Tank web page to determine if we are already aware of that particular phishing attack. The best way to report phishing is by emailing abuse@fsu.edu or using the "Report Message" add-on in FSU's Outlook desktop clients.

If you don’t have the "Report Message" add-on, you can report phishing attacks by forwarding the original phishing message, with full message headers, to abuse@fsu.edu. It is important that we get the full message with the original routing information (headers) to determine the source of the email and best be able to block it. The easiest way to do so is to choose ‘Forward as attachment’ in your email client.

How-to show full headers:

• MS Outlook Web (Office 365) App
• MS Outlook Desktop App

For information on how to install and use the "Report Message" add-on:

• FSU Service Center: Reporting to abuse@fsu.edu and How-To Use the Report Messages Outlook Add-In

Additional Resources

• FSU IT Security Advisories
• FSU Identity Theft and Other Internet Scams
• FSU Safe E-mail & Instant Messaging Practices
• Anti-Phishing Working Group
• Internet Crime Complaint Center
• Cybersecurity and Infrastructure Security Agency
  • Security Tip (ST04-014): Avoiding Social Engineering and Phishing Attacks