Phishing Awareness and Education

In this digital age, information is exchanged so rapidly it's difficult to keep up. You see countless emails every day. It's easy to become numb to the influx of information. We enter a state of mind, "click here, get it done, move on." Unfortunately, criminals know this and capitalize on our behavior. To combat their efforts, take an extra second to look at each email through your Cautious Lens. If you're unsure if the email is legitimate, ask someone. It's better to be safe than sorry. Benjamin Franklin once said, "Distrust and caution are the parents of security." With that in mind use your Cautious Lens, and the remaining tips below, to help keep yourself, your colleagues, and our students, safe.

Now that you know to use your Cautious Lens, go one step further and break the email down.

• Who did the email come from? Check the From Address to see if you recognize the account.
• What is the email asking? If the request is vague or unclear, chances are the intention of the email is something else entirely.
• Where do you see spelling or grammar errors? Sure, we all make mistakes, but most phishing emails would fail a middle school English exam.
• When do you need to respond or take action? Quite often, phishing emails will ask that you move quickly or take action immediately.
• Why are you receiving this email? Why do you have to download this attachment? Why do you need to sign in to fill out a form?

The Hover Technique can, and should, be applied to your day to day email barrage as well as your web browsing and overall digital experience. It's simple, and enlightening. Here's how it works. Move you cursor over a link and leave it there. Don't click! A small box will appear near the cursor and/or in the bottom left of the window or application you're using. In the box, you'll see the true hyperlink that is embedded in the link you're hovering over. Try it now. Where does this link actually take you? Refer to our short video below for an example.

https://www.k12albemarle.org

 

Depending on the application you’re using, you may only see one box with the information displayed. Unfortunately, the hover technique doesn't work well on mobile devices. If you're using a mobile device and believe a link to be suspicious, wait until you're on a computer to double-check the link. Be sure to use the Hover Technique for every link in your emails!

 

 

Phishing is a serious problem that is achieved in a number of different ways. Email spoofing and website spoofing are two of the primary methods by which phishers acquire sensitive information from unsuspecting Internet users.

While email spoofing and website spoofing are sometimes used separately, they are often used in concert with each other. For example, a spoofed email is used to lead a victim to a spoofed website; the spoofed website requests sensitive financial information or login information from the victim. In this way, a successful phishing attempt may be undertaken. 

What is Email Spoofing?

Email spoofing is when a bad actor sends an email with a false email address or name. For example, you may receive an email that appears to be from an administrator or supervisor, but in reality the from address is "spoofed," or fake. You can often tell if the address is real or not by taking an extra second to look at the from address. You'll notice that spoofed email addresses have spelling errors, strange email addresses, or different sender names. 

It's always best practice to contact an individual directly if an email or correspondence has a suspicious request. Remember, the Department of Technology will never ask you to reset your password through email. In fact, unless you prompted the reset, most websites and online services will not contact you unsolicited to reset your password. 

What is Website Spoofing?

Website spoofing, much like email spoofing, uses URL's or hyperlinks that appear to be legitimate when in reality they're fraudulent. The Hover Technique, mentioned in a section above, is a great strategy to investigate links in emails or websites to verify the true, embedded link. Avoid clicking on any links that seem suspicious. When possible, type in a website's URL manually to avoid malicious links. 

Best Practices

The best way to handle spoofed emails and spoofed websites is by exercising caution at all times. If something seems “off” about an email, do not open attached files or click on included links. By taking your time and being careful, you should be able to avoid most problems.