Phishing and Social Engineering

When to Use?

This article discusses the do's and don'ts for navigating phishing and social engineering.

Social Engineering

Here are some common signs to help you recognize an attack.

Phishing - Using email to trick you into providing sensitive information, to include a Reply to the original malicious e-mail, clicking on bogus links or opening attachments, and entering data.

Spear Phishing - These are phishing attempts aimed at specific targets.

Pretexting - Typically utilized in email, this is a technique where a fake situation is created using publicly available details on the target where the information is used for manipulation or impersonation.

Scareware - As the name implies, a frightful pop-up attempting you to type in confidential, personal, and private information in order to rectify an infected computer issue.

Vishing - Utilizing the telephone in attempt to trick you into providing valuable, most likely confidential, information.

Smishing - Using text messages (SMS) to trick you into providing sensitive information.

Baiting - An attempt to hook you in by offering goods, such as a free device or gift card.

Do's and Don'ts

DO...

• Check the FROM and REPLY-TO addresses, be wary of perceived reputable companies with Gmail or foreign email addresses.
• Mouse over links to see the real destination.
• Keep your anti-virus software up to date.
• Use different passwords for your accounts, and immediately change if you suspect an issue. Consider using a passphrase, password manager such as LastPass, or implementing multi-factor authentication for added protection.
• Forward phishing emails to phishing@gvsu.edu.

DON'T...

• Click on any links or attachments unless you are sure it is from a trusted source.
• Give out personal or private information.
• Fall for emails because the branding looks real or appears to be from someone you know.    
• Click or call listed phone numbers that are included in pop-up ads or messages.
• Forward a phishing email to other people, except to report it. Do not reply to phishing emails.

Additional Phishing Tips

• Look out for mismatched URLs – hover your mouse over the URL and compare the address.
• Poor grammar and spelling could be an indicator that it is a phish.
• A request for personal information, or worse, asking for money, especially with urgency, can be a phish.
• An offer that appears too good to be true probably is.
• Unrealistic or unlikely threats could be a phish.
• An unfamiliar greeting or salutation could indicate a phish.
• A demanding urgent action that tries to rush you into taking action before you have the opportunity to fully study the message for potential flaws or inconsistencies, can be a phish.
• Content just doesn’t look right - trust your instincts. If you need a second opinion forward the message to phishing@gvsu.edu.

Attempts often take advantage of current events and specific times of the year, such as:

• Natural disasters or significant weather issues
• Global health scares, even flu season
• Financial or monetary concerns, like IRS scams
• Major political elections
• Holidays and celebrating events, such as international athletic events

Also be on the look out for:

• Messages demanding your user name and password to keep your account active.
• Messages warning you of items pending on a mail server,
• Messages requesting your cell phone number.
• Messages asking you to purchase gift cards. 
• Messages offering unsolicited job offers or work from home opportunities.
• Messages containing fake html voicemail attachments requiring you to log in (attachment has a .html file extension).