What is phishing?
"Phishing" involves mass-delivered messages, often designed to impersonate banks, businesses, Internet service providers or computer help desks. These messages try to entice recipients to provide personal information or to run software allowing the sender to control a recipient's computer.
The goal of phishing attacks is to use your identity or computing resources to make money for the phishers.
What does a phishing attack look like?
Phishing can occur via email, text messages, instant messaging or other media.
These messages try to trick you into responding in various ways. They might pretend that your bank requires account confirmation, or that your email account must be renewed, or that a package is awaiting delivery to you. You might be asked to email your password details or to run a program to solve some issue.
How can I identify a phishing attempt?
Look for clues in the message that indicate it was not sent specifically to you. Look for inconsistencies in addressing, web links, grammar, and geography. Have a look at the IST Security team’s information poster.
How can phishing affect me?
By giving up your username and password, your email accounts could be used to launch attacks on the contacts in your address book, who might be tricked into thinking you have sent a message. Phishers might also try to use your personal information to access your bank or credit card accounts. Your financial well-being and the University's email systems can be damaged as a result.
How can I protect myself?
- Ignore any email that asks you to send your password or financial information.
- Avoid clicking on links in email without looking at the URL. If the URL is hard to understand, or points to an unusual site, ignore it.
- Don't launch programs from links in email without examining the link, even if the email appears to be from someone you know.
- Talk to your computing support contact about installing software in your web browser or email client to help identify suspicious messages or sites. (One example is NoScript for Firefox.)
- When in doubt, contact the sending organization by other means (not by responding to the message) to verify its authenticity.
Questions? Need advice about phishing?
Contact the IST Security Operations Centre at email@example.com.
Thanks to our guest blogger, Terry Labach.
- Wikipedia on phishing, https://en.wikipedia.org/wiki/Phishing
- Public Safety Canada's phishing definition, http://www.getcybersafe.gc.ca/cnt/rsks/cmmn-thrts-eng.aspx#s05
- US-CERT article: Avoiding Social Engineering and Phishing Attacks, https://www.us-cert.gov/report-phishing
- Staying safe on the Internet, http://www.stopthinkconnect.org
Other (fun) information posters