Phishing
One of the easiest ways to collect your personal information is to trick you into just handing it over, called phishing. Phishing attacks use 'spoofed' emails, fraudulent websites, and even phony customer service calls to fool you into giving out your personal information, such as credit card numbers, account usernames and passwords, social security numbers, etc. Phishing is a type of social engineering attack and is often coupled with other methods to gain information about a target.
Best practices
- Never give out or enter sensitive or personal information unless you initiated the contact
- Look for obvious signs of phishing, but don’t rely on them
- Think before you click. If something seems unusual, don’t reply or click
- Find an official phone number or website to contact the legitimate company or person to follow up on the message
Look for obvious signs
Many phishing attempts will have obvious signs they are not legitimate, but others will have very little indication they are trying to steal your information until they ask for it.
Signs of phishing include:
- Asking for your personal information or taking you to a website that asks you to sign in or enter other personal information
- Urgent calls to action, often with serious consequences (e.g., “You must verify your information immediately or your account will be deleted.")
- Messages containing poor grammar and typos
- Messages coming from an unusual name or email address (e.g., a message may appear to come from “whitman.president.name@gmail.com)
- Website addresses that don’t make sense (e.g., a link takes you to “whitman.web.com” instead of “whitman.edu”)
- Very vague messages designed to get a quick reply (e.g., "are you available?")
However, information can be mimicked, accounts can be compromised, and sophisticated attacks can look exactly the same as legitimate messages.
Don't respond to messages that don't make any sense and lack context.
Think before you click
Using common sense and being cautious can save you from most attacks. Consider these situations:
- You get an email from a co-worker you very rarely communicate with via mail, “Hello. Are you available?”
Think: Why would they be sending you something so unexpectedly and with so little explanation? They probably aren’t. The email may be designed to get you to respond and ask for additional information or perform a task that is out-of-the-ordinary (like purchase gift cards). - You see a Facebook post that “Well Known Company” is giving away $100 gift cards, you just have to visit "wellknowncardgiveaway.freesites.com" to sign up.
Think: Why would they use such an unusual web address instead of their official website wellknown.com? They wouldn't, and the site is more than likely fake. - You get a phone call from someone claiming to be from your bank, stating that there has been a suspicious charge on your account and they need you to verify your name, address, and credit number or they will freeze the account.
Think: How do I know this is a legitimate call from my bank? Why do they need all that information? How else could I otherwise verify this call (e.g., sign in to their official website, contact the customer service number printed on the back of the card, etc.)? If they are your bank, they won’t mind you wanting to call them back at their official phone number.
What to do if you you’ve received a 'phishing' message
- If you receive a message you think might be attempting to phish you, do not follow the instructions. You may be providing important personal information to criminals.
- When you receive spam or phishing messages, click the "Report Spam" button in Gmail. This helps Gmail know to block the message and helps stop other people from receiving it. If you click the "Unsubscribe" link in spam emails, it may actually prove to the sender that the account is active and cause you to get more spam.
- Ask around. Your co-workers, friends, and family may have seen similar messages in the past – forward messages to phishy@whitman.edu.
- If the message came from someone you know or a company you do have an account with, call the person or company to verify its authenticity using a known, official phone number, not one in the phishing message, which can be fake as well.
- If your personal information has been compromised, change any compromised account passwords, contact any financial institutions, etc. You may want to consider contacting a credit agency to put a suspicious activity alert on your credit profile.
- If you believe your College information may have been compromised, contact the WCTS Help Desk or Information Security Office immediately.