Phishing Awareness

One of the most common online scams is called phishing. Phishing is an attempt by an individual or group to solicit personal information from unsuspecting users by masquerading as a trustworthy entity. Online scammers will pose as legitimate businesses, organizations, or individuals. If they are able to gain the trust of their victims, they can leverage this trust to convince victims to willingly give up information or click on malicious links or attachments. Online scammers can make their communications appear to be those of legitimate businesses or organizations, by spoofing the email address (i.e., email with a forged sender address), creating a fake website with legitimate logos, and even providing phone numbers to an illegitimate customer service center operated by the scammers.

Two common types of phishing attacks:

• Phishing Messages - Phishing attacks are scams that can occur through various channels.  While phishing emails are most prevalent historically, be wary of unsolicited messages received via e-mail, text (SMS), social media, and all other communications platforms including phone calls where you can be reached.  The phishing message, purporting to be from a popular company or organization, may ask you to click on a link in order to fix a problem with your account. In other instances, the message may threaten to close your account if you do not respond. Scammers often use threats that your security has been compromised in order to increase the likelihood that the recipient will respond.

   

• Spear Phishing - Spear phishing is a personalized email attack in which a specific organization or individual is targeted. These attacks are prepared using information about an individual to make the email appear to be legitimate and induce the recipient to divulge sensitive information or download a malicious file. Such attack preparation is often based on extensive information gathering on the targets and has become one of the favored methods used in cyber espionage.

Phishing scams can be difficult to identify, however being aware of the threat and being vigilant in examining emails can reduce the risk that you will fall prey to such an attack.

• Be cautious about all communications you receive, including those that claim to be from "trusted entities." Be careful when clicking any links contained within those messages. If in doubt, do not click.
• Keep an eye out for telltale signs: poor spelling or grammar, the use of threats, or the URL does not match that of the legitimate site.
• While poor spelling and grammar can still be a sign, keep in mind that the use of AI to craft convincing, grammatically correct phishing messages has made it harder to recognize malicious communications.
• If you receive an unsolicited email or similar message requesting sensitive information or prompting you to click a link, the best action is to delete the message without interacting with it in any way.  Report the communication to your supervisor as soon as possible.
• Independently verify any messages requesting personal information that you think may be legitimate.  A quick phone call to the sender to verify can save you from possible catastrophe.
• Be wary of how much information you post online. The less information you post, the less data you make available to a cybercriminal for use in developing a potential attack or scam.

DO exercise caution with all email communications you receive, including those that purport to be from a trusted entity. Inspect the sender’s information to confirm the email was generated from a legitimate source.

DO keep an eye out for telltale signs of phishing - poor spelling or grammar, the use of threats, the URL does not match that of the legitimate site.  If the message does not feel right, chances are, it is not.

DON’T click on links embedded in an unsolicited email.

DON’T open unexpected email attachments. The attached files may be hiding malicious software.

DON’T send your personal information via email. Legitimate businesses will not ask users to send sensitive personal information through email. DON’T post sensitive information online. The less information you post, the less data you make available to a cybercriminal for use in developing a potential attack or scam.

Test your knowledge about phishing and learn how to protect your data with these online quizzes.

• OpenDNS Phishing Quiz
• SonicWALL Phishing IQ Test

These links are provided because they have information that may be useful. The NYS Chief Information Security Office (CISO) and the State of New York do not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CISO or the State of New York.