Phishing and smishing

Remember

if you are even a little suspicious of an email, forward it to abuse@wsu.edu for our university IS Security team to review.

How many times have you received an email where you were not quite sure if you should click the link it contains? How about a text message reminding you to claim a gift or prize from a contest you were not aware you were participating in? In today’s world, much of our communication revolves around technology and digital forms of communication. Unfortunately, this also means there is an increase in malicious actors using those channels to fool you. The best defense against these kinds of attacks is a skeptical and informed end user. So let’s get skeptical!

definitions (just so we’re all on the same page)

Phishing

A type of social engineering in which an attacker attempts to trick the victim into providing confidential or sensitive information or to gain the ability to install malicious software (viruses, ransomware, key loggers, etc.) on the victim’s infrastructure.

These are often made generic as possible, because they are sent to large number of potential victims, and it needs to be applicable to anyone receiving.

Example: You receive an email from “WSU IT Department.”

smishing

A specific type of phishing that uses SMS messages to the victim’s mobile device, often claiming to offer gifts from reputable companies with a link to claim it.

Example: Your phone received a text message claiming you need to click a link to claim your winnings in a sweepstakes.

Spear Phishing

This is a more sophisticated form of phishing in which the attacker already has gained information about their intended target and then uses that to make targeted attempts to gain access.

Example: You receive an email from your direct supervisor or colleague asking you to click a link and provide your information. This requires the attacker to know at least the hierarchy or structure of your workplace.

Very important disclaimer

It is important to note that there is no single solution that will apply to all cases of a phishing attack, as they are constantly becoming more refined.

(Remember what Abe Lincoln famously said in the Gettysburg Address: “Don’t believe anything you read on the internet without confirming it for yourself.”)

If you feel unsure, ask yourself these questions.

Were you expecting this communication?
Often this is the easiest way to spot an attack attempt. Did you receive an email from your colleague who no longer works here, or a friend request from a friend who you are already friends with?
Are you giving something away in this communication?
Accepting a Facebook request provides someone with your name, friends list, phone number, email address, and likes/dislikes. This information can be used for future attempts to get information from you or your friends.

If your bank or IT department reaches out to you and then asks you to click a link to get back to them, its almost always a good idea to contact them directly through a known good method like their direct email, phone number, or website.

Are they asking you to provide information they should already have?
Are there misspellings, incorrect grammar, or a logo that seemed washed out or otherwise not correct?
One form of these attacks are widespread mass email campaigns. If it is coming from a less sophisticated group, you will see examples of misspelled words, poor grammar, or logos copied and pasted from real websites.
Does this request or communication require you to prove yourself to them—instead of the other way around?
Example: Someone calls you saying that they are from your bank, and then they ask you to verify information to confirm your identity starting with your phone number.

But you just called me—don’t you already have my phone number?
Previous slide
Next slide

A cautionary tale, starring Erika Fleck, with James Henderson as “Teh Deen’

More To Explore