Information Security: Phishing Examples

PHISHING EXAMPLES

To review the most recent phishing attempts: ITS PHISH TANK. For tips on phishing avoidance, click here.

The University (and other reputable institutions) will not ask for personal or password information in unsolicited e-mail messages, so you should NEVER respond to them nor click on any links in the message, no matter how real they appear to be. Report any suspicious phishing emails to security@binghamton.edu.

You can hover your cursor over a link (don't click!) to reveal the actual false link. In a phishing scam this often will be a URL which you won't recognize and different from what is visible. If the message contains broken English and grammatical errors that is also a telltale sign of phishing.

Knowing what to look for will help you identify a phishing scam; however, if you have any doubt at all about the validity of the message, call a contact number for the organization obtained from verifiable paper correspondence or from the telephone book. Is it phishing or legitimate? Take the SonicWALL Phishing IQ test.

Though phishing messages can vary in design or style, many contain similar elements used by attackers that can be identified to help protect users from falling victim. Below are some common tricks used by attackers to phish their targets:

 

Sender's actual email does not match their displayed name:

phishing example

The sender attempts to make his email address look like a "binghamton.edu" address, but by looking to the right of the displayed name (or by hovering your mouse over the sender's name), we can see the actual address is polifarma@veloxmail.com.br. Posing as a trusted sender by changing their displayed name is a common tactic used by phishing attackers.

 

Link in message goes to suspicious site:

phishing example

Check to make sure links in messages are going to the sites they are claiming. If a message claims to be from a Binghamton University sender, links for services should be to binghamton.edu web pages.

 

Message asks for personal information to be sent back:

phishing example

Reputable organizations will NEVER ask for personal information, especially financial information or passwords, to be sent via email. Binghamton University ITS especially will not demand password this type of information be sent in order to confirm an account or prevent account suspension. Be wary of any message making these types of requests.

Message contains aspects of urgency to respond:

phishing example

A common technique used by attackers is to create a feeling of urgency to respond in order to make the targets feel compelled to act quickly, and without properly evaluating the legitimacy of the request. Messages that contain demands of response or action in a short time frame, and threaten action on their part if not met, should be especially met with suspicion.