Don't Take the Bait. Spear phishing emails will appear to come from a trusted source.
Spear phishing is a highly targeted form of phishing, which is an email that is made to appear to come from a friend, colleague or business you are familiar with.
If phishing is putting your hook into the water hoping anyone bites, then spear phishing is knowing what type of fish you’re looking for and using specific information to reel them in. This will generally appear as an urgent looking email, and will either ask you for sensitive information and/or link to malicious content.
What You Should Look Out For
When checking your email, it is important to pay attention to every detail, especially if something seems out of the ordinary. If your English professor sends you an email in broken English with an attachment, it’s most likely a spear phishing attempt.
Normally these emails will mention some type of urgency or haste, and request that you act on something immediately. This is done purposefully so that you’ll be less likely to thoroughly read and examine the email.
Some attempts may be incredibly deceptive. Someone posing as your professor may send a link and tell you your grade on a recent midterm is available; the body of the email may look completely legitimate, yet the email address could reveal something amiss. Be careful for emails that have numbers replacing letters; for instance, instead of firstname.lastname@example.org, you might see email@example.com. That zero instead of an O could be the difference between a real email and a phishing attempt.
Other attempts may come from a trusted business, or a business you have recently interacted with. As an example, you may receive a spear phishing email from your bank that is disguised as an account inquiry or a notification to change your password. Sometimes the email address itself will appear to be legitimate, but looking further will prove that it is fraud.
The example shown here is an actual address, but notice how both the name and email address are shown. Someone would be able to change their name so that it would appear that “IT Work Order Support” is emailing you, but have a fake email address. If something seems “phishy”, check the details of the sender by clicking the drop-down arrow next to their name (Gmail) to see who is really sending the message. Look for the small details. Someone could have the email “firstname.lastname@example.org” that looks official at a quick glance, but that missing letter makes a world of difference.
Note the specificity of the message–or the non-specificity of the message. If you receive an email from Amazon or another business that says “Dear Sir/Madam” and not “Dear [your name]”, that is something that could indicate phishing.
Be aware of any links in a suspicious message. If you receive an email from Adelphi that looks official, but there is a link to a website you’ve never heard of, do not open it. Similarly, be careful before opening any short links from emails as well.
Think You’ve Been a Victim of Phishing?
- Reset your passwords, especially if you use the same password for multiple sites. (We recommend having different passwords for each site, so something like this may not give an attacker access to all of your information.)
- Notify someone. If you believe you have been a victim from an Adelphi email address, contact the Help Desk immediately. If you believe you were a victim from another source (business, friend, colleague) let that person or business know ASAP.
- Check your credit and debit card statements; often, attackers will go after financial information.
- Report the email you believe you were a victim of to your email client (gmail, outlook, etc.)
What Are the Possible Consequences?
If you are a victim of phishing, the attacker could potentially have access to a ton of your information. Passwords could give them access to bank accounts or social accounts, and could even leave you open to identity theft.
Protecting your information is of the utmost importance. Remember that Adelphi and most other establishments will NEVER ask you for any type of username or passwords through email. If you receive a suspicious request make sure to contact the proper organization, friend or colleague (not by replying to that email) to confirm everything before moving forward.