Avoiding Phishing Attacks and Scams

This week of National Cyber Security Awareness Month (NCSAM) is focused on providing you the information and tools necessary to protect yourself against one of the most common and effective cyberattacks - Phishing. We will also cover some common scams that target your personal information, online accounts and money.

Phishing is a fraudulent attempt by cybercriminals to obtain your sensitive information like passwords, and credit card numbers eg.. either through phone, email or text. If they are successful in getting that information, they can gain access to your email, bank, and other accounts.

Phishing attacks are often simple, but can be very effective. They do not require a lot of effort to create and carry out. Cybercriminals have upped their game since the famous “prince-who-will-wire-you-money” scam. They have updated their tactics and now use spoofed email addresses and so much more.

Today’s phishing attacks are clever:

Spoofing email addresses that make it look like an email coming from brand names you recognize and possibly do business with
They copy legitimate emails sent by real companies, but they change the links to send you to a malicious website.
Some offer smaller items like gift cards, you may likely click on.
The emails may even look like they come from people you know and trust like a colleague, friend, boss, family member or government agency.
They try to scare you into acting quickly, so that you may not notice some of the signs that you have received a phish.

Here’s a list of things you should remember when checking your emails:

Pause… Think before you click, Is there a sense of urgency it’s trying to convey? If it looks suspicious, it probably is!
Verify before you click a link or submit any personal information. If it’s an email from your bank or an organization you know, call them on a number you know (and don’t use the one listed on the already suspect email) and ask if they really sent it to you.
Check with someone first! Never download anything you received in an email unless you are 100% sure it’s from a trusted source and something you are expecting - remember, a single compromised system in our internal network can be the new launchpad for the hacker.
If in doubt, don’t open it! Ask your IT department, report it to Phish@kent.edu for evaluation and simply delete the message.
- For more Phishing tips and Best practices
- Free online cyber security training

Phishing emails and text messages will often tell a story to trick you into clicking on a link or opening an attachment.

For example:

Say they noticed some suspicious activity or log-in attempts
Claim there’s a problem with your account or your payment information
Say that you must confirm some personal information and to click and provide it
Includes a Fake invoice
Wants you to click on a link to make a payment
Tell you that your eligible to register for a government refund
Offer you a coupon for free stuff

Types of Phish:

Standard Email Phishing – this attack is an attempt to steal sensitive information via an email that appears to be from a legitimate organization. It is not a targeted attack and can be sent as a mass email.
Malware Phishing – Utilizing the same techniques as email phishing, this attack encourages targets to click a link or download an attachment so that malware can be installed on the device.
Spear Phishing – Where most phishing attacks cast a wide net, spear phishing is a highly-targeted, well-researched email or electronic communication scam targeted towards a specific individual, organization or business.
Smishing (Text Messaging) - SMS enabled phishing delivers malicious short links to smartphone users, often disguised as account notices, prize notifications and political messages.
Search Engine Phishing – In this type of attack, cyber criminals set up fraudulent websites designed to collect personal information and direct payments. These sites can show up in seemingly ordinary search results or as paid advertisements for popular search terms.
Vishing – Vishing, or voice phishing, involves a malicious caller pretending to be from tech support, a government agency or other organization and trying to extract personal information, such as banking or credit card information. They may even leave threatening voicemails.
BEC (Business Email Compromise) – Business email compromise involves a phony email appearing to be from someone in or associated with Kent State University or another business/institution requesting urgent action, whether wiring money or purchasing gift cards.

Imposter Scams:

Imposter scams often begin with a call, text message, or email. The scams may vary, but work the same way- a scammer pretends to be someone you trust, often a government agent, family member, or someone who promises to fix your computer- to convince you to send them money or share your personal information. Scammers may ask you to wire money, put money on a gift card, or a Reloadit card, send cryptocurrency (like bitcoin) knowing these types of payments can be hard to reverse and track. According to the Federal Trade Commission, Americans lost more than $667 million to imposter scams in 2019.

Learn to Recognize Scams

You can get a call, email, or text message from someone pretending to be:

A Family member (or someone acting for them) saying your relative is sick, has been arrested or is in serious trouble and needs money right away.
A Court Official, indicating that you failed to appear for jury duty and need to pay a fine or you will be arrested.
The Police, saying you’ll be arrested, fined or deported if you don’t pay taxes or some other fake debt right away.
The Social Security Administration, claiming that COVID-19 related office closures mean your benefits have been suspended.
The IRS, saying you owe back taxes, there is a problem with your return or they need to verify information.
Your Bank, claiming they need to verify personal information before they can send you a new card.

PROTECT YOURSELF, Money and Personal information!

Be very cautious accepting friend requests on social media, from people you don’t know.
Periodically review your social media privacy settings. Don’t leave your social media public. Limit access to your known circle of friends.
Don’t go into private chat rooms with someone you don’t know or just met.
Only share photos, videos and live streams of yourself that you would be comfortable with family members and your close circle of real life friends seeing. You have to assume that the things you share could be sent on social media to others. Even if you use caution to protect your data, the recipients may not.
Never share your usernames and password information with anyone.
When making online purchases, make sure you are buying from a reputable, known retailer. Don’t go outside the acceptable payment methods. Once you do, any available transaction protection may be lost. Make sure any purchases made from a reputable retailer are made using a secure site.
Be suspicious of any call from a government agency asking for money or information. Government agencies do not use threats and they don’t call you with promises of -or demands for money.. Scammers do!
Do NOT trust caller ID. It might look like a real number, but they can be faked. Spoofing phone numbers is easy.
NEVER pay with a gift card, wire transfer or bitcoin. If someone tells you to pay this way it most assuredly is a scam.
Check with the real agency, person or company. Do NOT use the phone number they give you. Look it up yourself. Then call to find out if they are trying to reach you and why if they are.

Scams