Phishing

There are many different types of phishing. Here are a few of the more common types:

• Phishing - This is the overall term but is also a subcategory. Phishing refers to an attack sent via e-mail. Phishing is targeted at a wide audience with no regards to the age, gender, religious affiliation, or workplace of the potential victims.

• Spear Phishing - This is a more targeted approach to phishing. The attacker narrows down the audience and sends an e-mail that is specific to that audience. For example, John is a Winthrop employee. He receives an e-mail from "Payroll" stating that he needs to update his direct deposit information or his next check may not go through. In this scenario, the attacker knows John works for Winthrop and is using that against him, hoping he will provide his banking information.

• Whaling - Whaling is another targeted phishing scam. However, whaling is an attempt to snag the "big fish". Typically, these targets would be the executives of a business or agency. At Winthrop, potential targets of whaling would be Vice Presidents, the President, and the Board of Trustees.

• Smishing - Smishing is another type of phishing scam but it doesn't use e-mail. It uses SMS/text messaging. The attackers are still trying to get information but are just using a different attack vector.

• Vishing - This is another type of attack. But this one is a little more personal. This is Voice Phishing. The attacker actually will call a potential victim on the phone. Generic attempts could tell you your social security number has been suspended or that your bank account information needs updated. Some attackers will use information they have discovered about you such as your child's name. In fact, a Winthrop employee has received a few calls stating that her son (even using his actual name) is in jail in Miami and she needed to provide a credit card number to get him out.

Phishing attacks have become more advanced over time. It used to be easier to spot a scam. One of the tell-tale signs was bad grammar and spelling mistakes. The criminals have gotten better. But there are still a few things to look for to spot a phishing e-mail.

• FROM address - Do you recognize the FROM address? Note that there is a difference between the DISPLAY NAME and the actual FROM address. A display name is the "pretty" name. For example, it could say "Skywalker, Luke" or "IT Support Team". But look for the e-mail address. Does it look like what you would expect? If the display name is "Winthrop Support" but the e-mail address is "winthropsupport@gmail.com", then you know it is NOT really Winthrop support since it does not come from an @winthrop.edu address.

• Don't click that link! - If an e-mail contains a link to a website, your first instinct should be to NOT click on it! Links can be tricky. The link may be listed as something you would expect like Netflix.com or the Winthrop employee portal. But take a look at this.  Here is an "innocent" link to Netflix. But what happens when you click on it? It takes you to the Winthrop website.
  
  How could you have figured this out without clicking the link? Take your mouse pointer and hover over the link but do NOT click. The real link will show up and you will see it is not as it appears. You can do this with links as well as some images. Scammers will put a link on a picture in e-mails as well. You can hover over the picture to see if there is a link or not.

• Asking for personal information - Is the e-mail asking for personal information such as your cell phone number, mailing address, banking information, or password? Then it might be a phishing attack! There are certainly legitimate reasons why you might be asked for your cell phone or mailing address. But you should verify that it is a legitimate request BEFORE you respond. For more sensitive information such as banking information, you should be even more on guard. Double and triple check the source! And NEVER send that information in an E-MAIL! In order to sign up for direct deposit at Winthrop, you have to provide banking information but NO ONE will ask you to E-MAIL that bank information. And NEVER give out your password to anyone… for any reason! Any legitimate tech support personnel will be able to assist you WITHOUT knowing your password.

• Offer is too good to be true - This is the classic Nigerian prince scam. If someone is offering you a deal that seems too good to be true, it probably is. There is no Nigerian prince that will give you his million$. When it comes to sweepstakes like Publishers Clearinghouse, if you are a winner, you will NOT need to pay anything before they can give you the money.

• You are asked to take action NOW - Many scammers try to place a sense of urgency into the phishing e-mails. When a person is asked to do something IMMEDIATELY or AS SOON AS POSSIBLE, that person may take action before really thinking about it. Especially if the request appears to come from a supervisor. Before you act, verify the request.

• It just doesn't sound right - Sometimes that e-mail seems to be legitimate. The FROM address looks right. It doesn't have any links. It is not asking for personal information or even creating a sense of urgency. But somehow, it just doesn't feel right. Maybe your supervisor always signs her e-mails as Nikki but this one was signed as Nicole. Or the wording is just not quite right. If it doesn't feel right, verify the e-mail a different way before responding. Call the person who appears to be to sender. Or create a new e-mail to that person to ask them.

• Click the Reply button - You might be saying "What?!? I thought we should NOT reply to these messages." Well, that is true. You should not reply. However, if you click the Reply button, you can see who the e-mail will be sent back to. DO NOT ACTUALLY SEND THE E-MAIL! Just look at the TO field in your reply. If the TO field in the reply does not match the FROM field from the original, that is a good sign the e-mail is a scam. 

You have received an e-mail and you suspect that it is a phishing e-mail. What do you do about it? Here are some options.

If you are absolutely sure it is a phishing e-mail, just delete it. Just receiving a phishing e-mail is not harmful. So you can just delete it. Do NOT reply to the e-mail even to say something like "Go away scammer!"

But what if you are not sure? There are a few things you can do. First, if the e-mail appears to come from someone you know, verify with that person some other way. Call the person to ask if they sent it. Or start a new e-mail, enter their e-mail address and ask if they sent you the suspect e-mail. Do NOT reply to the original e-mail.

You can also forward the e-mail to servicedesk@winthrop.edu and someone can take a look at it to give you advice.

There are times when you may receive a solicitation from a company to check out their new product or register for some contest. They might exhibit some of the hallmarks of phishing but might just be generic spam e-mails.

You received an e-mail and you did what the e-mail said. And now you are concerned that it was a phishing message. What do you do? It depends on what information you provided the attacker.

• Username and password - If the phishing e-mail had you log on to a website, you need to change your password IMMEDIATELY! The criminal now has your password and can access your account. CHANGE YOUR PASSWORD!

• Gave out phone number - If you gave out your phone number, there are not too many options. You should be prepared for an increase in Vishing (voice phishing) and, if the number was for a mobile phone, an increase in Smishing (SMS/text phishing). You can try blocking the numbers but the cyber criminals change numbers so the block wouldn't do much in the long term. If the issue gets to be too much of a nuisance, the only real solution would be to get a new phone number.

• Provided your banking or credit card information - Contact your bank or credit card provider. They have personnel available to help you.

• Bought a gift card with a Winthrop P Card - If the phishing scam asked you to purchase a gift card (a very common scam) and you provided the gift card information to the scammer, then this becomes a criminal issue. First, YOU ARE NOT THE CRIMINAL! The scammer is the criminal. You are the victim. This would need to be reported to servicedesk@winthrop.edu and the Winthrop University Police Department.

Anytime you believe you are the victim of a phishing scam, e-mail servicedesk@winthrop.edu with details on what happened and you will be contacted concerning options and next steps.