Information Security: Phishing Avoidance

PHISHING

WHAT IS PHISHING? | PHISHING EXAMPLES | ITS PHISH TANK

Keep Calm Avoid Phishing Scams

STUDENTS, FACULTY & STAFF - If you have not changed your password recently, please do it NOW. Change your password to a unique one, a minimum of 12 characters and utilize a password manager.

REVIEW PHISH SCAM ALERTS: Think that email message could be a hoax? YES - and it sure is SMART to be suspicious.  Review the Information Security page, the Phishing page and the ITS PHISH TANK to stay on top of this matter.

Phishing scams range from "click here" for more info - to apply to fraudulent job offers with fake checks attached. We have also seen purchase gift cards, paying false fines, phone-related scams, AND MANY OTHER JOB RELATED SCAMS. Review the Information Security page, this page and the ITS PHISH TANK to stay on top of this matter. Contact the Help Desk and report to security@binghamton.edu.

Phishing is a technique in which users are directed by an official-looking e-mail to provide personal information under false pretenses. The message may appear to come from a bank, police agency, or even a friend, coworker or other legitimate entity. The information requested may be a credit card number, social security number, ATM PIN number, password or other personal information. The recipient is asked to provide this information via e-mail or by visiting an official-looking website and warned that failure to do so may result in a discontinuation of service. Legitimate businesses and government entities are aware of phishing scams and would not ask you to send sensitive information in response to unsolicited e-mail. You should treat these messages like spam and never reply to them. Information Technology Services advises people to never send any passwords via an e-mail message for any reason.

STUDENT CONTACT REGARDING PERSONAL INFORMATION and TUITION

If contacted via phone and asked for personal information, you should immediately be suspicious, especially if the person is claiming to work for a U.S. government agency. Ask for the person's full name, agency they are working for and a telephone number to call the person back. They will probably tell you that your only opportunity to resolve the issue is at the time of the call and that you have to take action now. Do not believe them. NEVER release personal information over the phone. Any questions or issues, contact the Help Desk.  Should you ever get any requests in print, please bring them to the ISSS Office or Financial Aid immediately and we will review them and advise accordingly.

Some students have been targeted in scams where an individual or organization promised to secure a better exchange rate for tuition payments. You should never share your Binghamton University login information with anyone. Make all payments directly through Student Accounts, using the official Flywire service for currency conversion.

CLICK BANNER below for the latest PHISHING ATTACK campaign

Don't Take the Bait for Phishing Scams

Start with the DON'Ts and apply the DO's and you'll stay safe and secure from phishing attacks. It is for YOUR technology security and peace of mind.

1. DON'T fall for fake emails. Do NOT give out any financial aid or personal information  via email no matter how legitimate the email looks. RESEARCH email first! Any personal info. required from Binghamton University will be directed to you from the myBinghamton portal ONLY.

2. DON'T click on random links. Don't turn into a fish out of water! Don't randomly click links in emails and websites. HOVER OVER links and senders FIRST to make sure they're legit.

3. DON'T apply to suspicious job postings. Red fish, green fish, BLUE PHISH. You will be BLUE if you don't research job openings posted on Handshake or any others sent to you via Bmail.

4. DON'T connect to public Wi-Fi off campus... or you'll be asking for a HACK ATTACK! Hackers use public Wi-Fi as a breading ground. Be secure and use Binghamton's VPN (virtual private network). It's easy, and it's peace of mind.
_________________

1. DO use 2 factor authentication! Add an extra layer of security by giving info other than just your username and password. 

2. DO run malware and virus protection. Protect your devices by running the most current versions of browsers, virus protection, malware, software and apps. Check for updates on a regular basis for peace of mind.

3. DO backup your work. One easy way to protect yourself from valuable data loss is to RUN REGULAR BACKUPS. It's also nice for peace of mind.

4. DO protect your credentials. Binghamton University or any organization will NEVER SEND EMAILS requesting your usernames, passwords or other personal info.

MOST OF ALL - stay in tune with the latest advice and assurance to avoid phishing scams by following Binghamton ITS (@BinghamtonITS) via Twitter and Instagram

SOCIAL ENGINEERING

What is it?
Social engineering is the term used for a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information. This differs from social engineering within the social sciences, which does not contain the divulging of confidential information. It's basically when a hacker uses social contact techniques in a way to trick you into providing them with personal information that can break your security barrier. Whether it be in person, by email, by text message, on the web, or over the phone.

Be prepared when someone YOU DO NOT KNOW:

  • asks you for info. they're not authorized to access
  • uses urgency or pressure to get what they want including using emotion, threats, fear, rushing...
  • uses tactics like technical jargon, confusing terms, grandiose offers, etc. to get you to respond
  • asks you to bypass or ignore standard security policies/processes
  • pretends to be someone you know, but their tone doesn't sound similar.

When in doubt, report it to the Help Desk and security@binghamton.edu.

We can only help you remain secure if you take measures to help yourself.

 EXAMPLES of SOCIAL ENGINEERING HACKER TRICKS to BE AWARE of.

MORE STEP BY STEP HELP
WITH LINKS on WAYS TO AVOID PHISHING SCAMS

Some may be repetitive, but please review links to stay on top of phishing scam avoidance.

1. Keep Informed About Phishing Techniques - by following @binghamtonITS (Instagram | Twitter) on social media, visiting and reviewing the ITS Information Security pages regularly to keep your data secure, also visit: security awareness training

2. Think Before You Click! Do not click on a link if you are not sure, hover over them before clicking to see if they lead to where they should go...

3. Install an Anti-Phishing Toolbar, you will be glad you did - it's so easy and convenient.

4.  Verify a Site's Security - Make sure the site's URL begins with "https" with lock icon and certificate, more info. on above link.

5. Check Your Online Accounts Regularly - Beware of any suspicious activity.

6. Keep Your Browser Up to Date. WHY?  Outdated versions of web browsers can open up to serious security flaws.

7. Use Firewalls - a barrier or shield that is intended to protect your devices from the data based malware dangers. Learn more by visiting above link.

8. Be Wary of Pop-Ups  - One false move just might cost more than you can afford to give.

9. Never Give Out Personal Information. Protecting your personal information can help reduce your risk of identity theft.

10. Use Antivirus Software: click for more information and available links.

11. Utilize 2-STEP Verification You'll protect your account with both password and phone. Bmail Google 2-Step Help is easy, go here to add an extra layer of security to your account.

Go to phishing.org for more detailed information on each of these steps, and on more ways to avoid phishing...

Gone Phishing

HELPFUL LINKS for review of the latest scams to beware of:

Google Help: How Phishing Works, Information Phishing Sites May Ask For and Reporting Phishing Sites

Avoid Phishing Attacks: Gmail (Bmail) Help

Be careful anytime you get an email from a site asking for personal information. If you get this type of email:

Don't click any links or provide personal information until you've confirmed the email is real. If the sender has a Bmail address, report the Bmail abuse to Google and/or security@binghamton.edu, or contact the Help Desk.

Note: Bmail won't ever ask you for personal information, like your password, over email.

When you get an email that looks suspicious, here are a few things to check for:

  • Check that the email address and the sender name match.
  • Check if the email is authenticated.
  • Hover over any links before you click on them. If the URL of the link doesn't match the description of the link, it might be leading you to a phishing site.
  • Check the message headers to make sure the "from" header isn't showing an incorrect name.

IMPORTANT: If you think your Gmail (Bmail) address has been taken over, recover your compromised Gmail (Bmail) account before sending or opening any other emails. If you are having issues, first change your password, go to the IT Self Help page and then contact the Help Desk.

5 Latest Scam Emails You Should Avoid
Scam emails have come a long way from requests for money from far-flung lonely hearts, or investment opportunities from dubious overseas princes. These days, email scammers are cannier than ever at imitating legitimate brands to trick victims. By Adam Rowe of Tech.com

OTHER HELPFUL HINTS:

  • If you're asked to provide personal information via an e-mail message, DON'T.
  • If you're asked to provide personal information via a website, DON'T unless you're sure the request and web site are legitimate.
  • If a request is made to "click here to view full message" or to click on a link, DON'T, double check with sender first. If you hover over the link or button you'll see that the address if not what it appears to be. Remember some scams can mask their email addresses to make you think it's someone whom you trust.

Compromised Computer Accounts
There have been several e-mail phishing scams from accounts claiming to be Binghamton University e-mail addresses and asking recipients to send their passwords via a reply e-mail, or to "CLICK HERE..."  Some in our campus community have taken the bait and provided sensitive, personal material to unknown parties. Identity theft is a growing national issue. Phishing is one method for unscrupulous persons to gain access to personal or computer account information and launch either spam attacks or hacking attacks on others in the internet community. The account owner is usually not aware of this improper use.

See examples of phishing scams which target Binghamton University accounts.

ITS performed a spot check of outgoing e-mail and found that almost 100 people responded to one of these scams, which purported to be a request from the "Binghamton Technical Support Team" and threatened to cut off e-mail service unless the recipient responded with user ID, password and birth date. We notified those people that they responded to the scam and urged them to change the passwords on their accounts to strong passwords (8-character minimum with a mix of small letters, capitals, numbers and special characters). It is good practice to change your password frequently.

If you have doubts about requests to send sensitive information via e-mail or web page, DO NOT REPLY! Call the office or email the person/party responsible for the request and verify that the request is legitimate and that the data collected is handled securely during transit and at the recipient site. University offices must adhere to this high standard as well. Please consult the University policy on Internet privacy for details.

BE VIGILANT
There is no way we can monitor, filter or discover all the various phishing scams that our users may receive, so be forewarned and ready when you receive these types of solicitations. The University (and other reputable institutions) will not ask for personal or password information in unsolicited e-mail messages, so you should NEVER respond to them, no matter how real they appear to be. If you're unsure of the validity of the message, call a contact number for the organization obtained from verifiable paper correspondence or from the telephone book. Users should also report any suspicious messages to the ITS Help Desk (helpdesk@binghamton.edu or 607-777-6420) and/or security@binghamton.edu, as we are not always aware of every scam in circulation.

If you have fallen for a phishing scam, change your password immediately. Report any suspicious emails or phishing scams here. Contact the Help Desk if you're having major issues.