Phishing Tips: Beware of Email Links and Attachments

Posted on by

Recently, some Connecticut state employees responded to a well-crafted “phishing” email directing them to click on a link to what appeared to be the CORE-CT website in order to retrieve their W-2.  This was a fake website, and the employees who followed the link and entered user ID and password unwittingly gave the perpetrators access to their CORE-CT login credentials and all of the personal information contained there, such as Social Security number, home address, birth date, etc.

Armed with this information cybercriminals can file a phony income tax return in your name, open credit card accounts and attempt to steal funds in your bank accounts or retirement savings accounts.

Here are some tips to protect yourself from phishing:

How to Spot a Phishing Email

Phishing is a deceptive attempt to pose as a reputable entity or person in electronic communications, such as email, IM or social networking.

Unofficial “From” Address.  Look for a sender’s email address that is slightly different (but similar to) an official email address.  The most recent phishing attack came from an e-mail address that read: donotreply@ct.gov <ssellick@tbaytel.net>.  The second part of the email address shows that it came from outside the system.

Urgent Call for Action. Cyber criminals include urgent “calls to action” in emails to get you to react immediately. Be wary of emails containing phrases like “your account will be closed,” “your account has been compromised,” or “urgent action required.” The cybercriminal is taking advantage of your concern to trick you into providing confidential information immediately.

Generic Greetings. Cyber criminals send thousands of phishing emails at a time. They may have your email address, but they seldom have your name. Be skeptical of an email sent with generic greetings, such as “Dear Customer” or “Dear Member.” The most recent attack targeted our state’s Enterprise Resource Planning system Core-CT.

Link to a Fake Website. To trick you into disclosing your user name and password, cyber criminals often include a link to a fake web site that looks like (sometimes exactly like) the sign-in page of a legitimate web site. Just because a site includes a company’s logo or looks like the real page doesn’t mean it is! Logos and web site layouts are easy to copy. You can detect a fraud by using your mouse to “hover” over the link with your cursor.  This will reveal the website to which you are being directed (and it may not be the one you expected). The best practice is to refrain from CLICKING ANY LINKS IN EMAIL.  Navigate to the site by your normal means.

Legitimate Links Mixed with Fake Links. Cyber criminals sometimes include authentic links in their spoof pages, such as to the genuine privacy policy and terms of service pages for the site they’re mimicking. These authentic links are mixed in with links to a fake phishing web site in order to make the spoof site appear more realistic.

Other Characteristics of Phishing Emails:

  • Spelling errors, poor grammar, or inferior graphics.
  • Requests for personal information such as your password, Social Security number, or bank account or credit card number. Legitimate companies will never ask you to verify or provide confidential information through an unsolicited email.
  • Attachments (which might contain viruses or keystroke loggers, which record what you type).

What to Do if You Are a Victim of a Phishing Email.

If you have clicked on a suspicious email link and feel your personal identifiable information may have been compromised, here are a few steps you can take to protect yourself.

  • Change your passwords for all employer software systems, and all personal bank, retirement and financial accounts.
  • If you have not already done so, register your financial and banking accounts for online access only and choose challenging security questions with answers that only you would know.
  • Regularly review your bank, credit card, retirement and financial account(s) for any unauthorized activity.
  • Regularly review your credit report for any unauthorized activity. Under federal law, you are entitled to one free copy every 12 months.  You may obtain a copy by calling 877-322-8228 or online at annualcreditreport.com;
  • Learn more; by visiting the Federal Trade Commission’s website at ftc.gov/credit.

 The Department of Administrative Services will be introducing a new Cyber Security Awareness training program soon.  It will include further information on how to use email safely.  If you are suspicious about any email that you receive, contact the IT Help Center at x4400 or via email: helpdesk@uchc.edu