What is phishing?
Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and financial details, or to convince victims to make some financial transfer (e.g. gift cards), by masquerading as a trustworthy entity, website or a known sender. The messages are often highly personalised and relevant, and can be sent through a legitimate, albeit hacked, account.
Why is Phishing a problem?
Bond University has a large user base and is an attractive target for cyber criminals. The most common phishing attacks will deceive you in to submitting your username and password. Once the attacker has your credentials they will comb through your inbox, sent items, deleted items etc. to glean any information that will enable financial fraud. The attacker now in control of your email account may contact payroll and request your bank details are updated. The attacker may also use your email account to intercept invoices in order to modify bank details on an invoice, unbeknownst to those involved in the communication.
Phishing is consistently the leading cause of data breaches reported to the Australian Government.
Can email filtering prevent delivery of Phishing emails?
Bond University invests significant funds into a leading email security platform. ITS staff tune the policy of this platform daily. Bond on average receives half a million emails per day, only 1.8% of these are deemed clean and delivered to their intended recipient.
How can I identify a Phishing email?
Identify the Sender. Do you know this person? Make sure to check the sender’s email address as well, not just their name.
Reply-to. If you reply to an email and the reply-to address is different from the sending address, this should raise your suspicion for the whole message.
Links and Attachments. Hover over links to see the actual URL, do you recognise the domain? If you were not expecting an attachment or a link, and you do not know the sender, do not open it! If you are not sure, check with the sender by phone (don’t use a phone number in the e-mail).
Grammar and Tone. Many malicious e-mails have poor grammar, punctuation and spelling. In addition, you should know how your co-workers communicate. Does this message sound like them? If not, it is probably malicious.
Emotions. Be wary of any e-mails trying to exploit certain emotions. Commonly used triggers are:
- Greed. Messages offering or promising you money by clicking a link or giving away information are usually malicious. If it seems too good to be true, it probably is.
- Urgency. Unusually short deadlines create a false sense of urgency to act. Attackers employ this technique to confuse the recipient.
- Curiosity. Attackers take advantage of our curiosity by promising something exciting or prohibited content.
- Fear. Threatening recipients with negative consequences is a common tactic to generate responses — such as threatening to shut off accounts, financial penalty or legal action.