E-mail is not secure by default. It is similar to a postcard written in pencil. As the postcard works towards it’s destination, it makes numerous stops and can be altered, read, or copied by various people along the way. Because of this, personal information should never be sent via e-mail. This includes your social security number, credit card information, medical information, financial information, home address, etc. As a general rule, you should assume anything sent over email could become public information.
Phishing attacks pretend to be a person or organization that you trust. They try to leverage that trust to convince you to perform an action that will result in someone else gaining access to your passwords, personal information, or computer. For example, an attacker may send you a fake email that appears to come from Amazon, Gmail, UPS, your bank, or even Michigan Tech. This email will try to get you to click on a link in order to trick you into entering your information into a fake website. For example, a phishing attack that appears to come from Amazon or Gmail would likely have a link for you to click on that would bring you to a login page that may look exactly like Amazon or Gmail. Unfortunately, if you enter your password into one of these fake sites, the attacker will then have your username and password and can use them for malicious purposes. For Gmail, they may use your account to send more spam or reset passwords to other accounts that you own. For Amazon, they may order merchandise on your credit card. For Michigan Tech, they may try to access your personal information for identity theft or fraud. The motivations and exact techniques may vary, but there are “red flags” that can help you more easily identify phishing attacks.
Phishing Red Flags
A link in the email does NOT go to the expected site (see image below)
- You should always “hover-check” your links by holding your mouse cursor over any links you plan to click. Your browser will tell you the site of the link (in the bottom left hand corner) and that should match the site you expect to visit.
- If you’ve already clicked the link, you can also check that the site is secure by verifying the domain name, looking for the padlock, and looking for the green https indicator.
The email has a sense of urgency
Some examples include emails stating your account is expiring, access will be removed, fraud has occurred on your account, legal action will be taken, a limited time offer is available, etc. These types of emails will give you a link to click on in order to “resolve the issue," but in reality, they are just trying to gain access to your information or computer.
The email comes from an unexpected address
While it is possible to make an email appear to come from someone else, some attackers don’t bother and you can spot a phishing attack simply by checking the sender of the email. Sometimes attackers will send an email from a similar address such as Amazon-Sales@gmail.com instead of Sales@Amazon.com.
The email is generic instead of being customized for you
Sometimes phishing attacks will say "Dear Customer" or "Dear User" rather than including your actual name. This makes the attack generic and applicable to a wide range of users.
If you suspect that an email is a phishing attempt, please forward it to email@example.com and report it in Gmail by using the “Report phishing” option. This allows MTU’s security team as well as Gmail’s security team to follow up and prevent other users from getting the same phishing email. Please note that “Report phishing” is different than “Report spam.” Spam is just unwanted junk mail, while phishing is fraud related.