Phishing is the practice of sending falsified emails with the aim of stealing personal information such as passwords, credit cards, or other sensitive data. Since the basic format of email is highly malleable and copyable, it's relatively easy to make a message look and sound official, and since email is used for many formal and official communications, it's possible to be duped into sharing information with the wrong people, or opening your computer to attack. It's also possible though, and often fairly easy, to spot a number of things that give away the fraud.
Signs of a Spoof
Most often, scammers will first:
Attempt to make the message appear to come from a trusted source, like Lehigh, your bank, Google Docs, Ebay, Paypal, etc.
State or imply some amount of urgency, indicating that an account will be closed, a 'prize' will be forfeit, a legal action will be taken against you, etc.
Next, they will require some action on your part, such as:
Reply to the email with your password, social security number, address, account number, etc.
Click on a link to go to a web page (to 'log in' or enter other information, verify your address, etc).
Certainly, a legitimate message could do similar things. So how do you know if it's real? There are a number of things to check that can be quick giveaways:
Fluent English? -- while the instance of poor English in scams is decreasing, it's a good indication that the person sending the message isn't an employee of a legitimate company doing business in the United States.
Mail Domain -- while it's not hard to spoof, a lot of scams don't even bother to change their mail domain -- that bit after the '@' in their email address. All messages from legitimate Lehigh departments read '@lehigh.edu' on the end of the email address. Not '@lu.com' or '@lehigh.org' or anything else.
Personalized -- most professional communication will be addressed to a single person, and the sender will know your name. While it's true that blanket messages are occasionally sent out by legitimate departments, they will usually specify a the name of responsible person or contact with a name and position for you to contact that can be independently verified, and communicated with via other means than offered in the email.
What Should You Do?
If you are suspicious, the most important technique is to find another route (besides information or links in the email) to verify any claims. Avoid clicking links in the email. Open a web browser yourself, and go to Lehigh's website, the bank's website, or whatever organization yourself, using your regular route to the site. Use a telephone, and call that person or organization, and ask about the email.
The second most important thing to do, if you're at all uncertain, is to report it. One thing about phishing is that you're likely not alone in receiving the message. 'Phishing' is like real fishing in that the message has been sent to many people, and the scammer is hoping that one person (or a few) out of perhaps hundreds or thousands will "take the bait." If you have strong suspicions, forward the email to the LTS Information Security Office at email@example.com or the LTS HelpDesk at firstname.lastname@example.org. They'll be able to examine it more closely, and notify others to be aware.
Report Phishing in Gmail
Lehigh's Gmail system makes it easy as well: With the questionable message open, select the small 'down arrow' next to the 'reply' button. In the menu, choose 'Report Phishing'.
You can also use the Phish Alert Button locate on the right side of your email inbox. Simply select the questionable message and click the Phish Alert Button and confirm you want to send it. This will automatically send the message to the correct team to handle the investigation into the message.
This is the Phish Alert Button.
KnowBe4 Phishing Campaigns and Training
KnowBe4 is a vendor that partners with Lehigh to perform Phishing training as well as conducting phishing campaigns to give our users real life practice with handling and recognizing phishing emails. These phishing campaign emails can take on a variety of emails from different sources, including internal Lehigh sources. If the link within the phishing campaign email is clicked then a second email will be sent stating that you have failed a phishing campaign and will automatically enrolled in training to help refresh your knowledge to recognize phishing emails moving forward. Subsequent failures will lead to more in-depth training to help you better protect yourself and your Lehigh data. If you have any questions or concerns about a phishing campaign email, please contact the Information Security team at email@example.com.
To hone your spoof-spotting skills, and to see if your spoof has already been reported, LTS maintains a 'Rogues Gallery' of examples of phishing emails that have targeted Lehigh. How might you have spotted these as fake?