Strategies To Avoid Falling Victim to Spear Phishing Attempts

Like many other academic institutions, SF State has been recently targeted in a series of spear phishing attempts. While new technology is being evaluated to detect and prevent these attacks, the following guidelines are suggested for you to recognize and avoid falling victim to spear phishing attempts:

What is phishing?
Phishing is an attempt to fraudulently acquire sensitive information by masquerading as a legitimate or trustworthy entity, in an electronic communication. Phishing has been typically carried out by email (and therefore is a variant of spam) or instant messaging and may also direct users to fraudulent websites to gather additional information. Spear phishing is usually highly targeted an individual communities of users.

An excellent background on phishing - its history and its ongoing evolution, is available at Wikipedia here

Recognize that Caller Id, Text Messaging Id, and Email “From/Reply To” Addresses Can All Be Forged

• Caller id, text messages & email “From” addresses can all be forged- therefore you unfortunately cannot trust them alone as a source of verification or as a valid “reply to” address within an email message. The SFSU HelpDesk will not contact you first this way unless you have already contacted them and will never ask you for sensitive data via email.

Don’t Respond to Mail You Suspect As Spam or Phishing Attempts

• As is indicated above, the reply address is often forged, stolen or created for the purposes of sending spam. Replying only indicates your email address is valid.

Use Browsers That Are "Phisher" Aware

• As a result of the large volume of attacks against PayPal, EBay and online banking users over the past 3 years, security enhancements have been added to many of the popular web browsers. Internet Explorer 7, Firefox 2.0 and Opera 9.x all have implemented various anti-phishing measures. Turn these features on; this will significantly limit the probability that you are redirected to a fraudulent URL within an email message.

Look At How You Manage Ids & Passwords Across Web Sites Internal & External to SFSU

• If you keep your id and password the same on several systems, and you revealed your id & password in this last phishing attempt, consider changing at least your password across all the sites you visit. Phishers are reportedly now using the fact that many people use the same id and password across many of the web interfaces they access (campus, bank, social networking site, etc.) and targeting you at a location you may be more casual in sharing information (such as the campus environment) rather than via a bank communication where you guard may be higher.

Put time on your side.

• Malicious messages commonly use threats (such as your email being turned off, etc) to force you to act quickly without thinking. Instead use your time to verify the source of the message if it asks for personal information about you.

Think About Information You Have Posted On Other Websites

• The industry is seeing a large volume of “blended” and multi-vector attacks meaning that scammers are attempting to extract sensitive information from multiple sources. If posting your email brings you no real benefit on another site, consider whether it really needs to be public and activate any private sharing features the sites provide.