Body
What is Phishing and how does it work?
Phishing scams are fraudulent communications, which appear to come from a legitimate source, such as a co-worker, manager, service provider, or bank. The most frequent goal of this scam is to extract private information, such as account credentials, or to achieve some type of financial gain.
Why should I be concerned about phishing?
A malicious individual could:
-
-
Take on your identity
-
Sell your data on the internet
-
Use your accounts
-
Lock you out of your accounts and data
-
Buy stuff with your money, for example a house or a car
-
Impact your credit rating
-
Set up accounts in your name
What are common indicators of phishing attempts, according to the U.S. government (CISA)?
-
Suspicious sender’s address. The sender's address may imitate a legitimate business. Cybercriminals often use an email address that closely resembles one from a reputable company by altering or omitting a few characters.
-
Generic greetings and signature. Both a generic greeting—such as “Dear Valued Customer” or “Sir/Ma’am”—and a lack of contact information in the signature block are strong indicators of a phishing email. A trusted organization will normally address you by name and provide their contact information.
-
Spoofed hyperlinks and websites. If you hover your cursor over any links in the body of the email, and the links do not match the text that appears when hovering over them, the link may be spoofed. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net). Additionally, cybercriminals may use a URL shortening service to hide the true destination of the link.
-
Spelling and layout. Poor grammar and sentence structure, misspellings, and inconsistent formatting are other indicators of a possible phishing attempt. Reputable institutions have dedicated personnel that produce, verify, and proofread customer correspondence.
-
Suspicious attachments. An unsolicited email requesting a user download and open an attachment is a common delivery mechanism for malware. A cybercriminal may use a false sense of urgency or importance to help persuade a user to download or open an attachment without examining it first.
What can I do?
Carefully review messages (email, chat, text) you receive, especially if:
-
-
The sender's email address is suspect. For example, the sender's name is someone who works at CatholicU, but their email address is from outside the university.
-
The message uses personal, public information about you to lure a response. (Example, "Chris, as a Residence Life professional...")
-
The message seems designed to create urgency and fear. (Example: "Your access will end unless you renew today!").
-
The message contains a link and urges you to use it. (Example: "Click here to renew.")
-
The message asks you to send money, buy gift cards, or reveal your personal information.
Trust your instincts! If it seems wrong, it probably is.
Security tips for preventing phishing and other malware attacks
-
Don't give away your password! Always make sure you are using a legitimate website before entering your password. Never share your password, with anyone. Catholic University staff will never ask you for your password.
-
Use caution with links and attachments, and when entering website addresses. Be careful when clicking directly on links in email, chat/text or other messaging apps, even if the sender appears to be someone you know. Attempt to independently verify website addresses (e.g., contact the Service Desk, search the internet for the sender organization’s website or the topic mentioned in the email). Pay attention to the website addresses you click on, as well as those you enter yourself. Malicious website addresses often appear almost identical to legitimate sites, often using a slight variation in spelling (e.g., cath0lic instead of catholic) or a different domain (e.g., .com instead of .edu).
-
If you receive a message that appears to come from someone at Catholic University but the message or request seems a little unusual or "off," call the person to confirm that they indeed sent the message. DO NOT message back for confirmation, and do NOT click any links the message may contain.
-
Mark suspicious email messages as Spam. This action updates Gmail's filters and warns other recipients.
-
Use https website addresses. Look for the “padlock” icon in the address bar of your web browser before you provide passwords, personal or financial information online. You can click the lock icon to view additional information about the security of the site you are visiting.
-
Block pop-up advertisements. Pop-up blockers disable windows that could potentially contain malicious code or links. Make sure this web browser feature is enabled on all your devices. Consider using ad blocker browser add-ons.
-
Use Two-factor authentication on your accounts wherever possible. Two-factor authentication adds an extra layer of security to your account in case your password is stolen. Turn on 2-Step Verification for your Cardinal Mail Google Workspace account.
-
Update the software on your computers, phone and tablets. Ensure your applications and operating systems have been updated with the latest patches. Vulnerable apps and device software are the target of most malware attacks.
-
Maintain up-to-date anti-virus software, and enable your computer's software firewall.
-
Use a strong password. Instead of using a short, complex password that is hard to remember, use a passphrase of 14 characters or more. Learn more about selecting a strong password on our Security and Privacy web page.
-
Do not reuse a password or use passwords with only minor variations for different accounts. That way, if one account is compromised, the malicious actor cannot easily access your other accounts.
-
Use an account with limited permissions. Using a login account that does not have administrative privileges may prevent malware from running or limit its capability to spread through the network.
-
Don't leave your unlocked computer or device unattended, even for a few moments. Power it off, log out or activate a lock screen that requires authentication to unlock.
-
Avoid using public Wi-Fi. Unsecured public Wi-Fi may allow an attacker to intercept your device’s network traffic and gain access to your personal information. Use your cellular carrier and connect to campus with a VPN.
What to do when I fall victim to phishing?
Catholic University Phishing Attempts
See examples of phishing email messages that have been received by the Catholic University community.
Note: Please log on with your Cardinal Credentials to view the page.