Spotting Malicious Email

A malicious email may look like it comes from legitimate sources like the Helpdesk, the "IT Dept," an SPU employee, a financial institution, an e-commerce site, a government agency, or other service or business. It often urges you to act quickly, because your account has been compromised, you'll lose access to a resource, your order cannot be fulfilled, or there is another urgent matter to address.

If you are unsure whether an email request is legitimate, try to verify it with these steps:

• Beware of Clickable links that re-direct you to another web site. Always be cautious.  Use the "hover" technique to inspect links in email messages.
• Contact the person or company directly – do not reply to the email, but instead use contact information provided on an account statement, the company’s official website, or other official resource to reach out and verify the authenticity of the email.
• Search for the company online – but not with information provided in the email.

Phishing

"Phishing" is the name given to email messages that try and trick you to give up your username and password. Phishing scams often involve highly specialized attacks against specific targets or small groups of targets to collect information or gain access to protected systems. Cybercriminals have launched spear-phishing attacks against SPU in the past in order to steal credentials to view student data, re-route paychecks, or steal financial aid. Once compromised, the attacker may use your email account to phish others at SPU. Since SPU email addresses look more authentic to us, the phish will prove more effective in compromising others.

• See an example of a recent attack

Scams and Fraud

Scams are different than phish in the sense that scams typically involve money - your money. As one would expect, the number of scams increase in frequency and impact every year.  Scammers know what they are doing and are intent on tricking you: they may offer you a job, ask you to transfer money for some sympathetic cause, send them gift cards, or solicit sensitive information about you or others. Often they'll pretend to be someone you know.  Here are some examples of how you can combat the threat of scams and fraudulent:

• Enable filters on your email programs: Most internet service providers (ISPs) and email providers offer spam filters and ways for you to mark an email as spam. Be careful with this, however, as you may end up blocking emails you want if the filtering is too strict. It’s a good idea to occasionally check your Junk and Spam folder to ensure the filters are working properly.
• Report Scams and Fraud:  If you come across anything suspicious, please refrain from responding; alert Computer and Information Systems by forwarding the message to help@spu.edu.
• Own your online presence: Consider hiding your email address from online profiles and social networking sites or only allowing certain people to view your personal information. 

Reporting Fraud

To report a scam, file a complaint online with the Federal Trade Commission. Check out their video on how to report scam and more ways to avoid fraud.  You can also report fraud to the FBI Internet Crime Complaint office

Report Phishing and Scams on Social Networks

Spam, phishing and other scams aren’t limited to just email. They’re also prevalent on social networking sites. The same rules apply: When in doubt, throw it out. This rule applies to links in online ads, status updates, tweets and other posts. Here are ways to report spam and phishing on major social networks:

• Reporting spam and phishing on Facebook
• Reporting spam on Twitter
• Reporting spam and phishing on YouTube

Tips for Avoiding Being a Victim

• Do not reveal personal or financial information in an email, and do not respond to email solicitations for this information. This includes following links sent in an email.
• Do not send anyone confidential documents via email unless they are encrypted.
• Before sending or entering sensitive information online, check the security of the website.
• Pay attention to the website’s URL. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com versus .net).
• If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Contact the company using information provided on an account statement, not information provided in an email. Check out the Anti-Phishing Working Group (APWG) to learn about known phishing attacks and/or report phishing.
• Keep a clean machine. Keep all software on internet-connected devices – including PCs, smartphones and tablets – up to date to reduce risk of infection from malware.

Use the "Hover" Technique

Many phishing messages include links that send the user to a malicious website or a fake login page. Hover-over the web links with your mouse to inspect the web site address BEFORE YOU CLICK! An example might be the printed URL and actual destination addresses don't match.

What to Do if You Are a Victim

• If you think you might have fallen for a scam and exposed your SPU username and password, immediately go to the Banner System (Personal Menu → Computer Accounts Menu → Change Your Password) and reset your SPU password.
• If you believe your financial accounts may be compromised, contact your financial institution immediately.
• Watch for any unauthorized charges to your account.
• Consider reporting the attack to your local police department, and file a report with the Federal Trade Commission or the Internet Crime Complaint Center.

STOP.THINK.CONNECT.™ Tips

• When in doubt, throw it out: Links in email, tweets, posts and online advertising are often how cybercriminals try to compromise your information. If it looks suspicious, even if you know the source, it’s best to delete or – if appropriate – mark it as junk.
• Think before you act: Be wary of communications that implores you to act immediately, offers something that sounds too good to be true or asks for personal information.
• Make your password a sentence: A strong password is a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember (for example, “I love country music.”). On many sites, you can even use spaces!
• Unique account, unique password: Having separate passwords for every account helps to thwart cybercriminals. At a minimum, separate your work and personal accounts and make sure that your critical accounts have the strongest passwords.
• Lock down your login: Fortify your online accounts by enabling the strongest authentication tools available, such as biometrics, security keys, or a unique one-time code through an app on your mobile device (all examples of Two-Factor Authentication, or 2FA). Your usernames and passwords are not enough to protect key accounts like email, banking, and social media.

Visit the STOP.THINK.CONNECT website for more tips.

CIS HelpDesk Support and Hours

We're here to help! Stop by the CIS HelpDesk in Lower Marston Hall or give us a call.

Office Hours 
Monday - Friday 7:30 a.m. - 5:00 p.m.

Extended Hours
(Telephone, email and classroom support, office visits by appointment) 
Monday - Thursday 5:00 p.m. - 9:00 p.m. 
Saturday 9:00 a.m. - 1:00 p.m.