Phishing e-mails are as old as e-mails, which far precedes the world wide web. Please be careful to avoid opening e-mails that may look suspicious. Brandon Whetstone wrote an e-mail to all staff and faculty at Colorado Early Colleges Fort Collins. This is a modified version of that e-mail geared towards students.
Phishing attempts come in various forms and often at unexpected times. Be cautious when you receive e-mail from either someone you do not know or an e-mail address with which you are not familiar. I received an e-mail that did not look quite right this morning and sent it to IT. This is a good opportunity to use this e-mail as a teaching moment.
If you’re not aware of what “phishing” is, it’s when someone tries to get you to give them money, a password, or even verification that they sent an e-mail to a valid and active e-mail address, by pretending to be someone else. Usually phishing attempts come from someone pretending to be a person whom you know. They always want you to buy something or give them personal information. Please, please remember that giving out personal information or buying something where you did not initiate the contact is never a good idea. For example, no one at CEC will ever, ever ask you to go out and purchase something with your own money over e-mail, especially gift cards. The first rule is to be skeptical, and then be super cautious. If you do not know the person, the simplest answer is to not answer the e-mail. If you think it might be important, go to the internet and research the person and the organization they represent. If you feel you must get in touch with the person, if you think you know them, use a known e-mail address that you already have to ask them if they sent the e-mail. Even if the return address appears to be correct, too often spoofing occurs where the e-mail address you see is not really the one being used for sending the message.
Being vigilant against phishing attempts just takes some common sense, so I wanted to highlight some specifics of this phishing attempt that should have sent off the alarm bells.
So, here is the message I received today:
Let’s look at a few things. First, the e-mail address. It’s from a Gmail account, which anyone can set up and set their name to be anything they want. Just because the sender’s name is Sandi Brown does not mean it came from her personal Gmail. Most people will only communicate about company or school business from an account tied to that company or school. Any Colorado Early Colleges employee, including me at the time of this writing, will use @coloradoearlycolleges.org as the domain for their e-mail.
Second, look at the time. This message was sent at 5:57 am. Most meetings happen during regular business hours, so I highly doubt anyone would be in a meeting at 5:57am.
Third, personal e-mail accounts usually don’t have a work title as a signature. If a personal e-mail has a work title, be cautious. If it has the wrong title, then you definitely know it is a Phishing Scam. In this example, the work title is wrong, as Sandi Brown is now Chief Executive Administrator.
Fourth, if there was an Emergency, you will not be contacted over e-mail. But if you were to engage the scammer, you realize they want you to buy something or give them personal information. Buying anything at 6 am is never an emergency. Be super cautious about being asked to purchase anything over e-mail from a personal account.
Fifth, phishing e-mails usually have poor writing, as you can see in this e-mail. You can also tell this did not come from an iPhone because iPhone’s have built in tools to improve writing, including proper capitalization of letters and spacing between punctuation.
Sixth, this e-mail does not have the most dangerous item. It is a link or executable. Never ever open an executable attached to an e-mail, even if it is from a known source. If you think it is vital to your work, download it first and have you scanner take a look at the file. Talk with the person who sent it to you, make sure that there are no viruses or malware in the executable, Again, if not sure DO NOT OPEN. Links, also be very cautious on links/ If you have any hesitation at all, hover over the address. If the URL that pops up at the bottom of your e-mail server does not match the displayed URL (spoofing), do not click on the link. If you want to find out more, copy the URL and paste that address in your search line and let your search engine tell you more about the URL in question.
If you want to get better at spotting phishing e-mails, take this quiz from Google that teaches you what to look for. https://phishingquiz.withgoogle.com/
If you ever think you have received a phishing e-mail on your school account, do not respond and forward the e-mail to [email protected].
Be careful and you will be a bit safer on-line