Statistically, 10-15% of you will be "phished" or scammed online this school year exposing you to fraud, identity theft, and financial risk. Computer and Information Systems works hard to protect members of the SPU community; we block between 4,000 and 12,000 malicious emails every day, but some messages inevitably get through. Be cautious and know what to look for!
Spotting Malicious Email
A malicious email may look like it comes from legitimate sources like the Helpdesk, the "IT Dept," an SPU employee, a financial institution, an e-commerce site, a government agency, or other service or business. It often urges you to act quickly, because your account has been compromised, you'll lose access to a resource, your order cannot be fulfilled, or there is another urgent matter to address.
If you are unsure whether an email request is legitimate, try to verify it with these steps:
Beware of Clickable links that re-direct you to another web site. Always be cautious. Use the "hover" technique to inspect links in email messages.
Contact the person or company directly – do not reply to the email, but instead use contact information provided on an account statement, the company’s official website, or other official resource to reach out and verify the authenticity of the email.
Search for the company online – but not with information provided in the email.
"Phishing" is the name given to email messages that try and trick you to give up your username and password. Phishing scams often involve highly specialized attacks against specific targets or small groups of targets to collect information or gain access to protected systems. Cybercriminals have launched spear-phishing attacks against SPU in the past in order to steal credentials to view student data, re-route paychecks, or steal financial aid. Once compromised, the attacker may use your email account to phish others at SPU. Since SPU email addresses look more authentic to us, the phish will prove more effective in compromising others.
Scams are different than phish in the sense that scams typically involve money - your money. As one would expect, the number of scams increase in frequency and impact every year. Scammers know what they are doing and are intent on tricking you: they may offer you a job, ask you to transfer money for some sympathetic cause, send them gift cards, or solicit sensitive information about you or others. Often they'll pretend to be someone you know. Here are some examples of how you can combat the threat of scams and fraudulent:
Enable filters on your email programs: Most internet service providers (ISPs) and email providers offer spam filters and ways for you to mark an email as spam. Be careful with this, however, as you may end up blocking emails you want if the filtering is too strict. It’s a good idea to occasionally check your Junk and Spam folder to ensure the filters are working properly.
Spam, phishing and other scams aren’t limited to just email. They’re also prevalent on social networking sites. The same rules apply: When in doubt, throw it out. This rule applies to links in online ads, status updates, tweets and other posts. Here are ways to report spam and phishing on major social networks:
Pay attention to the website’s URL. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com versus .net).
If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Contact the company using information provided on an account statement, not information provided in an email. Check out the Anti-Phishing Working Group (APWG) to learn about known phishing attacks and/or report phishing.
Keep a clean machine. Keep all software on internet-connected devices – including PCs, smartphones and tablets – up to date to reduce risk of infection from malware.
Use the "Hover" Technique
Many phishing messages include links that send the user to a malicious website or a fake login page. Hover-over the web links with your mouse to inspect the web site address BEFORE YOU CLICK! An example might be the printed URL and actual destination addresses don't match.
What to Do if You Are a Victim
If you think you might have fallen for a scam and exposed your SPU username and password, immediately go to the Banner System (Personal Menu → Computer Accounts Menu → Change Your Password) and reset your SPU password.
If you believe your financial accounts may be compromised, contact your financial institution immediately.
Watch for any unauthorized charges to your account.
When in doubt, throw it out: Links in email, tweets, posts and online advertising are often how cybercriminals try to compromise your information. If it looks suspicious, even if you know the source, it’s best to delete or – if appropriate – mark it as junk.
Think before you act: Be wary of communications that implores you to act immediately, offers something that sounds too good to be true or asks for personal information.
Make your password a sentence: A strong password is a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember (for example, “I love country music.”). On many sites, you can even use spaces!
Unique account, unique password: Having separate passwords for every account helps to thwart cybercriminals. At a minimum, separate your work and personal accounts and make sure that your critical accounts have the strongest passwords.
Lock down your login: Fortify your online accounts by enabling the strongest authentication tools available, such as biometrics, security keys, or a unique one-time code through an app on your mobile device (all examples of Two-Factor Authentication, or 2FA). Your usernames and passwords are not enough to protect key accounts like email, banking, and social media.