Phishing Awareness and What to Do if You Fall Victim

Phishing is a type of fraud in which a hacker attempts to gather personal information or credentials by impersonating a legitimate brand and sending users to a malicious website.
 

Phishing is most common type of cyber-attack in Education, responsible for more than 90 percent of security breaches. No cybersecurity solution can block 100 percent of attacks.

To help protect yourself and FSU from Phishing attacks here are 7 items to keep in mind when you receive a suspicious e-mail.

1. Email Addresses Can Be Spoofed
   
   Never trust an email based simply on the purported sender. Cybercriminals have many methods to disguise emails.
    
2. Subject Lines and Emails Often Include Enticing or Threatening Language
   
   Evoking a sense of panic, urgency, or curiosity is a commonly used tactic. Users are typically quick to respond to emails that indicate potential financial loss or that could result in personal or financial gain.
   ITS will never send an anonymous email asking you to urgently click on a link. ITS also does not facilitate its vendors or business partners to email the FSU user community directly with urgent announcements.
    
3. A Personalized Message is Not a Sign of Legitimacy
   
   Today’s phishers are including the victim’s name in the subject line and prefilling the victim’s email address on the phishing webpage. A personalized email is not a sign of a legitimate email.
    
4. Phishing Messages Often Have Errors in the Body of the E-mail
   
   Employees need to read their emails carefully, not just skim them. You should read emails carefully for both glaring and subtle grammatical issues that might indicate that the sender is not reputable.
    
5. Links Aren’t Always What They Seem
   
   Every phishing email includes a link, but phishing links are deceptive. Make sure you hover over all links before clicking them to see the pop-up that displays the link’s real destination. If it is not the website expected, it is probably a phishing attack. Be especially cautious of URLs that end in alternative domain names instead of .com or .org.
    
6. Phishing Links Can Be Sent via Attachment
   
   All phishing emails contain a link, but it’s not always in the email. To avoid detection by email security filters, hackers will include a phishing link in an attachment, such as a PDF or Word doc, rather than the body of the email.
    
7. Hackers Use Real Brand Images and Logos in Phishing Emails
   
   Brand logos and trademarks are no guarantee that an email is real. Images are public and can be downloaded from the internet or easily replicated.

WHAT TO DO IF YOU FALL VICTIM

Phishing messages become more commonplace and sophisticated with each passing year as a result of our heavy use of email and technology in everyday life. Near the beginning of the calendar year in particular, scammers tend to increase their efforts to obtain confidential information in order to file fraudulent tax returns. Regardless of when it may happen, it's all too easy for us to fall victim to these scams, however, it's critically important to take action as soon as possible.

Next Steps

If you have inadvertently fallen prey to a phishing message and provided your Framingham credentials after clicking on a malicious link, you should immediately do the following:

• Reset your FSU password as soon as possible by following the instructions here.
• Run an antivirus scan on your device.
• Notify the Help Desk if you haven't already done so so that IT is aware of what happened and can help watch for suspicious activity associated with your account.
• Don't be ashamed! These messages are constantly changing, so help others stay aware and avoid phishing emails/scams by sharing how this particular message tripped you up and what you've learned to watch out for in the future.

If you have inadvertently fallen prey to a phishing message and provided personally identifiable information such as your social security number, you may become the victim of identity theft: 

The Federal Trade Commission has resources for victims of identity theft to create recovery plans and take active steps toward minimizing the impact and repairing any damage.

• Reset your FSU password as soon as possible by following the instructions here.
• Visit www.identitytheft.gov
• Create a recovery plan by:
• • Using their guided assistant feature, or
  • Reviewing their complete list of possible recovery steps
• Execute the recovery plan
• Notify the Help Desk if you haven't already done so so that IT is aware of what happened and can help watch for suspicious activity associated with your account
• Don't be ashamed! These messages are constantly changing, so help others stay aware and avoid phishing emails/scams by sharing how this particular message tripped you up and what you've learned to watch out for in the future.

Some of the possible steps included in a recovery plan could include, but are not limited to:

• Consider filing a complaint with the FTC
• Review the IRS Guide to Identity Theft: https://www.irs.gov/uac/taxpayer-guide-to-identity-theft
• Contact one of the three major credit bureaus to place a ‘fraud alert’ on your credit records:
• • Equifax, www.Equifax.com, 1-800-766-0008
  • Experian, www.Experian.com, 1-888-397-3742
  • TransUnion, www.TransUnion.com, 1-800-680-7289
• Contact your financial institutions and ask them to review your accounts with you.
• If your SSN is compromised and you know or suspect you are a victim of tax-related identity theft, the IRS recommends these additional steps:
• • Respond immediately to any IRS notice; call the number provided or, if instructed, go to IDVerify.irs.gov.
  • Complete IRS Form 14039, Identity Theft Affidavit, if your e-filed return rejects because of a duplicate filing under your SSN or if you are instructed to do so. Use a fillable form at IRS.gov, print, then attach the form to your return and mail according to instructions.