Phishing Awareness

Summary

Phishing is the most common form of hacking, and one of the most dangerous. Review this information to learn about and stay safe from its different forms.

Body

While malware is well-known to be a common threat to information security, the truth is that these days phishing is by far the more prevalent and effective method of hacking. After all, it's much harder for hackers to try and break through the wall of security on the various platforms and devices we all use than it is to simply trick us into letting them right through the door unwittingly.

What is phishing?

Phishing is a common attack where a hacker attempts to acquire sensitive information, such as usernames, passwords, and credit card details, by masquerading as a trustworthy entity. 

Phishing attempts often look authentic, seeming to come from a legitimate business or individual. They frequently urge you to act quickly, warn you of a compromised account, or ask for additional information before fulfilling an online order.  

Phishing scams vary widely in terms of their complexity, the quality of the forgery, and the attacker's objective. Several distinct types of phishing have emerged.

Vishing

Vishing or voice phishing involves calls to a phone number intended to create a sense of urgency to act.

Smishing

Smishing uses text messages to get people to provide information or click a link.

Spear phishing

Phishing attacks directed at specific individuals, roles, or organizations are referred to as "spear phishing". Since these attacks are so pointed, attackers may go to great lengths to gather specific personal or institutional information in the hope of making the attack more believable and increasing the likelihood of its success.

A good defense against spear phishing is to carefully, securely discard information (i.e., using a cross-cut shredder) that could be used in such an attack. Further, be aware of data that may be relatively easily obtainable (e.g., your title at work, your favorite places, or where you bank), and think before acting on seemingly random requests via email or phone.

Whaling

The term "whaling" is used to describe phishing attacks (usually spear phishing) directed specifically at executive officers or other high-profile targets within a business, government, or other organization.

  • Be wary of emails asking for confidential information.
  • Legitimate organizations will never request sensitive information via email. Never submit confidential information via forms embedded within email messages.
  • Watch out for generic-looking requests for information.
  • Fraudulent emails are often not personalized, while authentic emails from your bank often reference an account you have with them (usually by account number or some other unique, independently-verifiable identifier).
  • Do not click on links within an email message that look suspicious.
  • Phishing emails usually contain a link to a web page that looks similar to the login page for a service.  Once you try to log in with your username and password, the hackers have your credentials and start using them to phish information from others.

Look for [EXT] in subject lines in your Stonehill email

Remember to take your time with any emails carrying the [EXT] tag, as this indicates the message came from a non-Stonehill email address. Of course, you'll receive perfectly legitimate emails from outside the College regularly, but if you see an email claiming to be from a Stonehill address and carrying [EXT] in the subject line, you know you're looking at a phishing attempt.

Is that web site legitimate?

Don't be fooled by a site that simply looks real. It's easy for phishers to create web sites that look like the genuine sites, complete with the logos and other graphics of a trusted web site.

If you're at all unsure about a web site, do not log in. The safest thing to do is to close and then reopen your browser, and then type the URL into your browser's address bar. Typing the correct URL is the best way to be sure you're not redirected to a spoofed site.

Learn to analyze a web address

Just because the address looks OK, don't assume you're on a legitimate site. Look in your browser's address bar for signs that you may be on a phishing site.

Often the web address of a phishing site looks correct, but actually it contains a common misspelling of the company name or a character or symbol before or after the company name.

Use myHill or your own browser bookmarks (favorites)

Use myHill to gain safe access to online services that Stonehill College provides to its students, faculty and staff.  Some of the links will provide the legitimate login pages while other services use a single sign-on which will bring you directly to the service without asking for your username or password.

Don’t get pressured into providing sensitive information

Phishers like to use scare tactics and may threaten to disable an account or delay services until you update certain information. Be sure to contact the IT Service Desk or the merchant directly to confirm the authenticity of the request. Remember, Stonehill employees, including employees from the Information Technology department, will never ask you for your password and do not need it to assist you. 

Remember that messages from Stonehill will never be quarantined

All legitimate messages from Stonehill College will be delivered to your inbox. Under no circumstances will a Stonehill message ever be caught by the quarantine filter.  If a message claims to come from an @stonehill.edu email address but is caught in quarantine and you see it listed in your Spam Notification email, DO NOT release it to your inbox.

When in doubt, change your password.

If you think your password has been compromised, change your password immediately.  This is extremely important.  Change it even if there is a small chance that the site you just logged into with your Stonehill credentials might be trap!

As a reminder, the safest way to access the password change service is to type the address for myHill (myHill.stonehill.edu) into a web browser, log in, and click the Password Change button.

If you receive a questionable message, contact the IT Service Desk.

If you have any questions or concerns about an email message that looks fake or questionable, contact the IT Service Desk at 508-565-1111 or email service-desk@stonehill.edu for assistance.

Details

Details

Article ID: 149020
Created
Wed 2/8/23 4:01 PM
Modified
Tue 7/16/24 8:40 AM