The Information Security Office at Salt Lake Community College will be sending out emails posing as phishing scams to test student and employee knowledge of how to handle a scam like this. The assessment will be used by the Department of Information Technology to evaluate how people react to possible scams and to also help prevent people from being scammed in the future. Luckily, these emails will not cause any harm to any computers that receive them.
Contrary to popular belief, most hacking is not done through brute force attacks, but is instead carried out through what is called social engineering, preying on human fallibility to sneak inside a secure network. Phishing is a type of social engineering where users are directed to a seemingly-credible site, and is intended to retrieve personal information such as credit card or social security numbers, account passwords, or other sensitive and valuable information.
According to the InfoSec Institute, a common theme for scammers is to use a website that may seem recognizable and trustworthy. Often times the scammer will slightly misspell a word to get by with using a similar website address.
Scammers do not target any specific demographic. Emails are sent out randomly and anyone can be affected. Here are some tips provided by the SLCC Information Security Office on avoiding phishing scams:
- Never send sensitive information, including passwords, financial data or other personally identifiable information (PII) via email. A reputable organization or business will never ask you to send confidential information via email.
- Never respond to e-mails from a source you are not 100% sure the sender is legitimate. When in doubt, call the organization or business but do not use contact information found in the e-mail; instead, work through your established and trusted channels to verify the authenticity of a message received.
- Never open an attachment in a suspicious e-mail because it may install malicious software on your computer.
- Never click on a link in a suspicious e-mail because it may take you to a malicious website that may install malware on your computer.
- Never perform a money transfer requested via email, even if it appears to be coming from a trusted source. Remember, email addresses can be spoofed. Always verify that the wire transfer request is authentic by calling the person listed as a requestor, and make your supervisor aware of these requests.
- Use bookmarked links to go to trusted websites, and not links received in emails. Examples include MySLCC, banking websites, Webmail and others.
If you believe you are being scammed, be on the lookout for typographical errors, messages asking for information, or messages claiming to be from the IRS or FBI. If you are suspicious, you can always search the content of the message on Google to find out if it’s a known scam.
If you’ve been phished, immediately change your passwords for all active accounts, be on the lookout for unauthorized or unusual charges on bank accounts, and if necessary, report the incident through appropriate channels.
When contacted for further questions, the IT Department stated this was a security issue, and neglected to provide an example phishing email. More information on phishing scams, as well as general technical support, can be found at the Office of Information Technology homepage.