Don’t Be Fooled by a Phishing Email Scam
When John Stein, dean of students, received an email from an airline that was supposedly confirming a flight, it didn’t even cross his mind that it could be a scam.
“I was scheduled to travel right around that time, so it looked legitimate to me,” Stein said. “But when I clicked on the link, nothing occurred. Something inside me made me forward it to our division Office of Information Technology (OIT) staff member, and I asked him if I’d made a mistake.”
The staff member told Stein that the email had been a phishing scam. The end result of clicking on the link in the email was that Stein didn’t have access to his computer for an extended period while it was cleaned by OIT.
“A phishing email scam usually involves a bad guy trying to get an unsuspecting person to click on a harmful link and divulge sensitive information,” said Jason Belford, principal information security engineer for OIT. “The problem is that these emails seem believable, and people make the mistake of doing what the email says.”
In 2012, 169 campus users were victims of a phishing scam. In most cases, phishing emails appear to be from a person or company the recipient knows and include a call to action. For example, some emails will instruct recipients to click on a link and provide information to ensure one of their accounts isn’t deactivated.
“Once the bad guy has your Georgia Tech username and password, he can do everything from send an unflattering email to your boss to change the location where your paycheck is deposited,” Belford added.
The good news is that knowledge is power when it comes to not being a victim of these scams. Belford offers the following tips:
- Verify the links. Analyze the link provided in the email by hovering your mouse over it. (Smartphone users can hold a finger on the link to see this information.) If it is a Georgia Tech site, the domain will be gatech.edu. If the link is from a company you do business with, the domain will be the company’s name. For example, UPS is ups.com and Microsoft is microsoft.com.
- Look for “https.” Make sure the URL starts with “https://.”
- Never respond. Never respond to a phishing email. Simply report it and delete it. Forward any phishing emails (as attachments) to email@example.com.
- Trust your instincts. If something doesn’t seem right, it’s probably not. Don’t make excuses as to why something could be valid. When in doubt, you can always ask your computer support representative for advice.
“My advice to anyone is to always err on the side of caution — no matter how legitimate something looks,” Stein said. “Checking with an OIT staff member first can potentially save you many hours of disruption.”
OIT also offers a few training opportunities to help educate faculty and staff about phishing and how to avoid becoming a victim. One option is a 15-minute anti-phishing training session, which any campus unit can request.
Units may also participate in OIT’s fake phishing exercise where a scam email is sent to faculty and staff. If a person responds to the email with their username and password, he or she receives an immediate message stating that had the email been an actual phishing attempt, “bad guys” would have the employee’s account information.
“If you respond to the fake email and receive our response message, don’t worry — you won’t get in trouble,” Belford said. “We’re just trying to reach out to people who are confused about which emails are legitimate and which emails aren’t, before it’s too late.”