Phishing

Phishing refers to a range of techniques used by scammers and hackers to steal private information through fraudulent emails and/or websites. Examples of private information that could be targeted include usernames, passwords, financial data, card numbers, student or employee IDs, Social Security Numbers, contact information, health and government records, and personal life details. Phishing attacks range from laughable Nigerian Prince email scams to sophisticated impersonations that can infiltrate governments and world organizations. In general, an attacker will:

• Pose as a trusted entity, such as a bank, subscription service, university administrator, or even coworker
• Reach out via emails, texts, websites, or other media crafted to resemble real communications
• Invite you to act in a way that compromises personal information or money

A successful phishing attempt can result in identity theft, malware infection, data compromise, and steep financial loss.

Here are ten to-dos for every time you receive an unexpected message or request:

1. Take your time. A minute of caution now can save you from the embarrassment and frustration of losing private data to a criminal.
2. Look for anomalies. Ask yourself: is there anything out of the ordinary about this email? Were you expecting it? Is it written in the sender’s voice, or does it sound “off”? Are there grammar or spelling errors? Are the logo and branding different from usual, or even missing altogether? Note that professional places of business will rarely allow even one mistake in their emails.
3. Beware urgency. Messages that urge you to act quickly before a deal ends, an account closes, or some other consequence strikes should raise a red flag. Online criminals often capitalize on their victim’s instincts and fears. Don't accept any "free" offers or make any account changes you aren't absolutely sure you signed up for.
4. Beware requests for private information. Reputable organizations, like banks, government institutions, large companies, and your university, will never pressure you to divulge credentials or information, and certainly not in a single urgent email.
5. Check any URLs. You can mouse over a link or button to see where it goes (or press and hold on a mobile device). Look for unusual spellings or extra material in the URL. Links that start with “http” instead of “https”, or that have long, multi-part domains (like “download.google.com.drive.systeca.net”) are particularly suspect. In a URL, the most important element is the domain. In the example before, systeca.net is the actual domain.
6. Check the sender’s email address. Does their email match their organization exactly? Watch out again for misspellings or extra characters, like “susan@amazon.com.net” or "susan@grnail.com".
7. Look for other contact information. Does the sender provide a phone number or address? If you receive an email from an unknown source, it’s best to independently research the source before responding in any way. Type the links yourself instead of clicking.
8. Never, under any circumstances, reply directly to a suspicious email.
9. Ask the human. Instead of replying directly, find and contact the sender via another channel of communication. For example, you could easily dismiss a phishing email pretending to be your bank by checking your bank account manually (that is, without clicking links in the email). If you get a message from a superior asking for an urgent and possibly sensitive favor, you have every right to send them a text or knock on their door to confirm it's really them. You'll likely be respected for exercising caution with sensitive tasks.
10. Report suspicious emails. If you believe the message is suspect, forward it to us at phishing@byu.edu by following the steps below.

To test your ability to identify phishing emails, take five minutes to try Google's helpful phishing quiz. The quiz provides an up-to-date look at what tactics online criminals will use to try to harm you.