{"id":101548,"date":"2016-09-23T15:06:52","date_gmt":"2016-09-23T19:06:52","guid":{"rendered":"http:\/\/www.bu.edu\/tech\/?page_id=101548"},"modified":"2021-09-01T10:20:46","modified_gmt":"2021-09-01T14:20:46","slug":"phishing","status":"publish","type":"page","link":"https:\/\/www.bu.edu\/tech\/support\/information-security\/security-for-everyone\/phishing\/","title":{"rendered":"BU Phishing Guide"},"content":{"rendered":"
\n
\n
\n
\n

Phishing<\/strong><\/h3>\n

Phishing<\/strong><\/em> is a scam intended to steal personal and financial information from unsuspecting victims. Passwords, credit card numbers, bank account information, Social Security number, or other sensitive information–all are valuable to scam artists.<\/span><\/p>\n

SMiShing<\/strong><\/h3>\n

A form of phishing<\/span>, SMiShing<\/em><\/strong> is when someone tries to trick you into giving them your private information or click on a link via a text (SMS message.) Put simply, SMiShing is any kind of phishing that involves a text message. SMiShing is particularly effective because\u00a0 people tend to be more inclined to trust a text message than an email. Most people are aware of the security risks involved with clicking on links in emails but less true when it comes to text messages. <\/span><\/p>\n

For more information on SMiShing check out: <\/span>https:\/\/www.fcc.gov\/avoid-temptation-smishing-scams\u00a0<\/a><\/p>\n

Spear Phishing<\/strong><\/h3>\n

Spear phishing<\/em><\/strong> involves highly specialized attacks against specific targets or small groups of targets to collect information or gain access to systems. For example, a cybercriminal may launch a spear phishing attack against a business to gain credentials to access a list of customers. From that attack, they may launch a phishing attack against the customers of the business. Since they have gained access to the network, the email they send may look even more authentic and because the recipient is already customer of the business, the email may more easily make it through filters and the recipient maybe more likely to open the email.<\/p>\n

The cybercriminal can use even more devious social engineering efforts such as indicating there is an important technical update or new lower pricing to lure people.<\/p>\n

How to avoid being phished<\/strong><\/h3>\n

Most people think they are pretty knowledgeable about spam and phishing, yet every day someone at Boston University falls for a common email scam and has their account compromised.Be proactive in protecting yourself. Phishing emails come in many forms and though the most important thing you can do is to avoid them altogether, here are some useful tips to avoid getting hooked:<\/p>\n

Tips for Being Safe Online <\/h4>
<\/p>\n

When in doubt, throw it out:<\/strong>\u00a0Links in email, tweets, posts and online advertising are often how cybercriminals try to compromise your information. If it looks suspicious, even if you know the source, it\u2019s best to delete or \u2013 if appropriate \u2013 mark it as junk.<\/p>\n

Think before you act:<\/strong>\u00a0Be wary of communications that implores you to act immediately, offers something that sounds too good to be true or asks for personal information.<\/p>\n

Make your passphrase a sentence<\/strong>: A strong passphrase is a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember (for example, \u201cI love country music.\u201d). On many sites, you can even use spaces!<\/p>\n

Unique account, unique passphrase:<\/strong>\u00a0Having separate passphrases for every account helps to thwart cybercriminals. At a minimum, separate your work and personal accounts and make sure that your critical accounts have the strongest passphrases.<\/p>\n

Lock down your login<\/strong><\/a>:<\/strong>\u00a0Fortify your online accounts by enabling the strongest authentication tools available, such as biometrics, security keys or a unique one-time code through an app on your mobile device. Your usernames and passphrases are not enough to protect key accounts like email, banking and social media.<\/p>\n

<\/div>\n<\/div>\n\n

Don't click the provided link<\/h4>
<\/p>\n

It is trivially easy to make a link lie to you.\u00a0\u00a0 Instead of clicking a provided link, use your browser to go to the known and trusted website by typing the link into your web browser yourself.For example, take this link: http;\/\/www.google.com\/<\/a>\u00a0If you click this, it will not take you to Google, it will take you somewhere completely different.\u00a0 Scammers use this trick all the time to trick you to going to malicious websites.You can tell where a link is going to take you by\u00a0hovering<\/em>\u00a0over it with your mouse.\u00a0 Don\u2019t click.\u00a0 Hover.\u00a0 If you do this for the link above you will see “onguardonline.gov” pop up in a box by your pointer or in a space at the bottom of your email client or browser.<\/p>\n

If you are on a smartphone, click and hold the link to have a box appear that will show you the real destination and ask if you really want to go there.<\/p>\n

General rule: if the email message is lying to you about where it wants to send you, it is a scam.<\/strong><\/p>\n

<\/div>\n<\/div>\n\n

Monitor your security<\/h4>
<\/p>\n
    \n
  1. If you are concerned about your account, contact the organization using a phone number you know to be genuine, or open a new Internet browser session and type in the company\u2019s correct Web address yourself.<\/li>\n
  2. Use anti-virus and anti-spyware software, as well as a firewall, and update them all regularly.<\/li>\n
  3. Never share your personal or financial information.<\/li>\n
  4. Review credit card and bank account statements as soon as you receive them to check for unauthorized charges.<\/li>\n
  5. Forward spam that is phishing for information to\u00a0spam@uce.gov<\/a>\u00a0and to the company, bank, or organization impersonated in the phishing email. You also may report phishing email to\u00a0reportphishing@antiphishing.org<\/a>, the Anti-Phishing Working Group — a consortium of ISPs, security vendors, financial institutions and law enforcement agencies — uses these reports to fight phishing.<\/li>\n
  6. If you\u2019ve been scammed, visit the Federal Trade Commission\u2019s Identity Theft website at\u00a0www.consumer.gov\/idtheft<\/a>.<\/li>\n<\/ol>\n

    <\/div>\n<\/div>\n\n

    Know The Real So You Can Spot The Fake<\/h4>
    <\/p>\n

    Boston University uses Extended Validation Certificates, be on the lookout for its appearance in various browsers:<\/p>\n

    \"EV<\/p>\n

    \"EV<\/p>\n

    \"EV\"EV\"EV\"EV<\/p>\n


    <\/div>\n<\/div>\n\n

    Learn how to detect a phishing message & fight phishing<\/strong><\/h3>\n

    Know the top spam scams<\/a>, so you can recognize them when you see them.<\/p>\n

    The email asks for your password<\/h4>
    <\/p>\n

    It is a scam.\u00a0 Delete it.\u00a0 You will never be asked for your account password from a legitimate source.<\/p>\n

    <\/div>\n<\/div>\n\n

    The email is about a financial account you don't have or an order you know nothing about<\/h4>
    <\/p>\n

    Typically, phishers send an e-mail or pop-up message that claims to be from a business or organization that you may deal with \u2014 for example, an Internet service provider (ISP), bank, online auction service, online payment service, travel service, or even a government agency.

    The message may ask you to update<\/em>, validate<\/em>, or confirm<\/em> your account information. Some phishing emails threaten a dire consequence if you don\u2019t respond. The messages direct you to a website that looks just like a legitimate organization\u2019s site. It is almost certain a scam and could look something like this:<\/p>\n

    “We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity.”<\/em><\/p>\n

    -Or-<\/em><\/p>\n

    “During our regular verification of accounts, we couldn’t verify your information. Please click here to update and verify your information.”<\/em><\/p>\n

    <\/div>\n<\/div>\n\n

    The email comes with an attachment you weren't expecting<\/h4>
    <\/p>\n

    These files can contain viruses or other software that can weaken your computer’s security.<\/p>\n

    They may be videos sent to you from a friend’s account that has been compromised. \u00a0They may be PDF files from some company claiming to contain an invoice from a recent purchase you did not actually make. \u00a0They might be “screen savers” or executables\u00a0masquerading\u00a0as any number of believable things.<\/p>\n

    Know what is normal for you, so you can recognize the abnormal.<\/p>\n

    <\/div>\n<\/div>\n\n

    The email has obvious grammatical or spelling errors<\/h4>
    <\/p>\n

    Be suspicious of email messages that claim to be from a business and yet contain errors in grammar, use of words, spelling or punctuation should send you a red flag. \u00a0Most businesses have several layers of review before a message is approved for release to the public. \u00a0Obvious errors will typically be caught and removed during this process.
    \n<\/div>\n<\/div>\n\n

    Learn how to detect a SMiShing test and be on the lookout:<\/strong><\/h3>\n

    Things you can do to avoid being a victim of a SMiShing attempt include:<\/p>\n