Protecting Yourself from Phishing Scams

The start of a new semester offers a good opportunity to assess the current phishing landscape. While multi-factor authentication, strong passwords and anti-virus software remain key ingredients to information security, bad actors continue to adapt their methods and schemes.

Some things to keep in mind:

  • Attackers are doing their research. They search for email addresses, roles, phone numbers and office locations and will even search social media sites like LinkedIn to gather more information on their targets. They use this data to craft attacks that are believable to their targets.
  • Phishing emails attempt to engage the recipient in an email conversation to elicit funds. These might be attacks that try to share a document or emails that appear to come from a peer or a supervisor asking, “Are you there and can you help me?”
  • Attackers interact with their targets in real-time. When they send a phishing message, they monitor activity to know when to send a second email or text message asking their victims for their multi-factor authentication (MFA) token or code.
  • Although phishing attacks have become more sophisticated and challenging to detect, there often are tell-tale clues. Carefully check the message’s return address and ask yourself if it makes sense. Evaluate the link or attachment in the message for validity. Does it look valid? Ask yourself if you are expecting such a message from the sender. If not, reach out to the purported sender in a separate email or phone call to validate the message.
  • One of the best ways to help protect yourself is not to use the same password across multiple sites and services. When attackers compromise a password from one system, they will use that same password to try and access accounts at Google, Apple, Microsoft, social media and other services. Reusing your password for multiple services leaves you exposed to this common tactic.
  • If unsure, ask. As stated, attackers are getting more sophisticated and detecting their phony emails is getting more difficult. If you are at all uncertain about the validity of a message, contact the ITS Information Security team by email at itsecurity@syr.edu.

To learn more about information security, visit the Information Security page on Answers.

This story was written by Chris Croad, chief information security officer at Syracuse University.