We’ve all come across a phishing e-mail that appeared to be a legitimate e-mail. Phishers take advantage of the fact that it is difficult to know with absolute certainty with whom you are communicating via e-mail. They use this uncertainty to pose as legitimate businesses, organizations, or individuals, and gain our trust, which they can leverage to convince us to willingly give up information or click on malicious links or attachments.

Be Aware of Phishing Scams

If you are vigilant, and watch for telltale signs of a phishing e-mail, you can minimize your risk of falling for one. Telltale signs of a potential phishing e-mail or message include messages from companies you don’t have accounts with, spelling mistakes, messages from the wrong e-mail address (e.g. info@yourbank.fakewebsite.com instead of info@yourbank.com), generic greetings (e.g., “Dear user” instead of your name), and unexpected messages with a sense of urgency designed to prompt you into responding quickly, without checking the facts. Requesting resumes or claiming there is an ‘Unpaid Invoice” requesting you respond quickly are popular ‘urgent’ phishing e-mails.  Here are some scenarios you may encounter:

Recommendations

• Be suspicious of unsolicited e-mails, text messages, and phone callers. Use discretion when providing information to unsolicited phone callers, and never provide sensitive personal information via e-mail.

• If you want to verify a suspicious e-mail, contact the organization directly on a known phone number. Do not call the number provided in the e-mail. Or, have the company send you something through US mail (which scammers won’t do.)

• Only open an e-mail attachment if you are expecting it and know what it contains. Be cautious about container files, such as .zip files, as malicious content could be packed inside.

• Visit websites by typing the address into the address bar. Do not follow links embedded in an unsolicited e-mail.

• Use discretion when posting personal information on social media. This information is a treasure-trove to spear phishers who will use it to feign trustworthiness.

• Keep all your software patched or up-to-date. Home users should have the auto update feature enabled.

• Keep your antivirus software up to date to detect and disable malicious programs, such as spyware or backdoor Trojans, which may be included in phishing e-mails.

FAQ

• How do I report a Suspicious, Fraudulent, or Spam e-mail?

  • You can report a suspicious or unsolicited e-mail in Office 365 (web interface or desktop application.) Microsoft uses this information to stop other e-mails and block links in existing e-mails.

    • If you are reporting the e-mail in Outlook on the web, click the ‘Report’ button and click ‘Report Phishing’.

    • If you are reporting the e-mail in the Outlook desktop application, make sure you have the Report Message add-in applied to your account. Select the e-mail you would like to report, click Report Message, and select the category you would like to report the message as.

      • To apply the Report Message add-in, click the Get Add-Ins button on the tool bar, then search for Report Message. Click Add and Continue. After the process of applying the add-in is complete, the Report Message button should appear on the right-hand side of the ribbon.

    • You can report a Suspicious or Fraudulent e-mail to the Information Security Services (ISS) Group by taking one of these actions:

      • Forwarding the e-mail to abuse@okstate.edu or

      • Completing the Report a Suspicious or Fraudulent E-Mail

    • You can report a Spam e-mail to to the Information Security Services (ISS) Group by taking one of these actions:

      • Forwarding the e-mail to abuse@okstate.edu or

      • Completing the Reporting Spam E-mail

  • You can report an e-mail to the IT Helpdesk by composing a new e-mail message addressed to helpdesk@okstate.edu and dragging the suspicious or unsolicited e-mail to the new e-mail message; this method will allow the suspicious e-mail to be added as an attachment in the new mail item. You may also forward the suspicious e-mail to helpdesk@okstate.edu.

• What are common phishing scenarios that I may encounter?

  • An e-mail appearing to be from the ‘fraud department’ of a well-known company that asks you to verify your information because they suspect you may be a victim of identity theft.

  • An e-mail that references a current event, such as a major data breach, with a malicious link to set up your ‘free credit reporting’.

  • An e-email claiming to be from a state lottery commission requests your banking information to deposit the ‘winnings’ into your account.

  • An e-mail with a link asking you to provide your login credentials to a website from which you receive legitimate services, such as a bank, credit card company, or even your employer.

  • A text message that asks you to call a number to confirm a ‘suspicious purchase’ on your credit card. When you call, the operator will know your name and account information and ask you to confirm your ATM PIN. (This is a form of SMSishing). What should you do?