While malware is well-known to be a common threat to information security, the truth is that these days phishing is by far the more prevalent and effective method of hacking. After all, it's much harder for hackers to try and break through the wall of security on the various platforms and devices we all use than it is to simply trick us into letting them right through the door unwittingly.
What is phishing?
Phishing is a common attack where a hacker attempts to acquire sensitive information, such as usernames, passwords, and credit card details, by masquerading as a trustworthy entity.
Phishing attempts often look authentic, seeming to come from a legitimate business or individual. They frequently urge you to act quickly, warn you of a compromised account, or ask for additional information before fulfilling an online order.
Phishing scams vary widely in terms of their complexity, the quality of the forgery, and the attacker's objective. Several distinct types of phishing have emerged.
Malicious Document Shares
Cybercriminals often send cloud-document-sharing emails that look like they come from trusted services such as OneDrive, Google Drive, or SharePoint. When you click the link, it may take you to a fake (yet realistic-looking) login page. If you sign in, your username and password go straight to the attacker.
What to watch for:
-
Unexpected file-sharing emails (or links), even if they appear to come from people you know.
-
Documents that ask you to “enable content” or sign in again. Stonehill's cloud environment is single-sign-on (SSO), so if you're prompted to log in when you're already in your email, that's a big red flag.
-
Check the web address (URL) - Watch out for login pages that
don’t match Stonehill's
studentsstonehill.sharepoint.com.
How to stay safe:
-
-
When in doubt, contact the sender directly (not by replying to the message).
-
Report any suspicious document or link to the IT Service Desk right away.
Vishing
Vishing or voice phishing involves calls to a phone number intended to create a sense of urgency to act.
Smishing
Smishing uses text messages to get people to provide information or click a link. Often, they will start a conversation pretending to be IT or another legitimate business, asking for or providing MFA codes to try and "verify" your account, when in reality, they're tricking the user into passing them through multi-factor authentication (MFA).
These types of attacks are particularly dangerous because they often come from unrecognizable numbers, much like text messages from legitimate businesses. Worse still many businesses still use text messaging as a way to receive MFA codes, making it more difficult to know when a message is legitimate or not.
To avoid being smished, remember:
-
No one who is legitimate will ever ask you for your MFA codes, nor will they ever give you codes to enter into your authenticator app. Anyone that tries should be assumed to be a hacker.
-
Your MFA codes are for you to generate, and you to enter, no one else should be involved in the process.
Spear phishing
Phishing attacks directed at specific individuals, roles, or organizations are referred to as "spear phishing". Since these attacks are so pointed, attackers may go to great lengths to gather specific personal or institutional information in the hope of making the attack more believable and increasing the likelihood of its success.
A good defense against spear phishing is to carefully, securely discard information (i.e., using a cross-cut shredder) that could be used in such an attack. Further, be aware of data that may be relatively easily obtainable (e.g., your title at work, your favorite places, or where you bank), and think before acting on seemingly random requests via email or phone.
Whaling
The term "whaling" is used to describe phishing attacks (usually spear phishing) directed specifically at executive officers or other high-profile targets within a business, government, or other organization.
- Be wary of emails asking for confidential information.
- Legitimate organizations will never request sensitive information via email. Never submit confidential information via forms embedded within email messages.
- Watch out for generic-looking requests for information.
- Fraudulent emails are often not personalized, while authentic emails from your bank often reference an account you have with them (usually by account number or some other unique, independently-verifiable identifier).
- Do not click on links within an email message that look suspicious.
- Phishing emails usually contain a link to a web page that looks similar to the login page for a service. Once you try to log in with your username and password, the hackers have your credentials and start using them to phish information from others.
Back to top
Look for the External tag (especially on emails claiming to come from Stonehill addresses)
Remember to take your time with any emails carrying the [EXT] tag, as this indicates the message came from a non-Stonehill email address. Of course, you'll receive perfectly legitimate emails from outside the College regularly, but if you see an email claiming to be from a Stonehill address and carrying [EXT] in the subject line, you know you're looking at a phishing attempt.
Back to top
Is that website legitimate?
Don't be fooled by a site that simply looks real. It's easy for phishers to create websites that look like the genuine sites, complete with the logos and other graphics of a trusted website.
If you're at all unsure about a website, do not log in. The safest thing to do is to close and then reopen your browser, and then type the URL into your browser's address bar. Typing the correct URL is the best way to be sure you're not redirected to a spoofed site.
Learn to analyze a web address
Just because the address looks OK, don't assume you're on a legitimate site. Look in your browser's address bar for signs that you may be on a phishing site.
Often the web address of a phishing site looks correct, but actually it contains a common misspelling of the company name or a character or symbol before or after the company name.
Back to top
Use myHill or your own browser bookmarks (favorites)
Use myHill to gain safe access to online services that Stonehill College provides to its students, faculty and staff. Some of the links will provide the legitimate login pages while other services use a single sign-on which will bring you directly to the service without asking for your username or password.
Back to top
Don’t get pressured into providing sensitive information
Phishers like to use scare tactics and may threaten to disable an account or delay services until you update certain information. Be sure to contact the IT Service Desk or the merchant directly to confirm the authenticity of the request. Remember, Stonehill employees, including employees from the Information Technology department, will never ask you for your password and do not need it to assist you.
Back to top
Remember that messages from Stonehill will never be quarantined
All legitimate messages from Stonehill College will be delivered to your inbox. Under no circumstances will a Stonehill message ever be caught by the quarantine filter. If a message claims to come from an @stonehill.edu email address but is caught in quarantine and you see it listed in your Spam Notification email, DO NOT release it to your inbox.
Back to top
When in doubt, change your password.
If you think your password has been compromised, change your password immediately. This is extremely important. Change it even if there is a small chance that the site you just logged into with your Stonehill credentials might be trap!
As a reminder, the safest way to access the password change service is to type the address for myHill (myHill.stonehill.edu) into a web browser, log in, and click the Password Change button.
If you receive a questionable message, contact the IT Service Desk.
If you have any questions or concerns about an email message that looks fake or questionable, contact the IT Service Desk at 508-565-1111 or email service-desk@stonehill.edu for assistance.
Back to top