How to Protect Yourself Against Phishing Scams & Identity Theft. Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious software on the victim’s infrastructure like ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim. As of 2023, phishing is by far the most common attack performed by cybercriminals, the FBI’s Internet Crime Complaint Centre recording over twice as many incidents of phishing than any other type of computer crime.
The first recorded use of the term “phishing” was in the cracking toolkit AOHell created by Koceilah Rekouche in 1995; however, it is possible that the term was used before this in a print edition of the hacker magazine 2600. The word is a leetspeak variant of fishing, probably influenced by phreaking, and alludes to the use of increasingly sophisticated lures to “fish” for users’ sensitive information.
Attempts to prevent or mitigate the impact of phishing incidents include legislation, user training, public awareness, and technical security measures. Phishing awareness has become important at home and at the work place. For instance, from 2017 to 2020, phishing attacks have increased from 72% to 86% among businesses.
There are several steps you can take to protect against phishing:
If you receive a suspicious email
- Do not reply, even if you recognize the sender as a well-known business or financial institution. If you have an account with this institution, contact them directly and ask them to verify the information included in the email.
- Do not click any links provided in these emails (or cut and paste them into a browser). This may download viruses to your computer, or at best, confirm your email address to phishers.
- Do not open any attachments. If you receive an attachment you are not expecting, confirm with the senders that they did indeed send the message and meant to send an attachment.
- Do not enter your personal information or passwords on an untrusted Web site or form referenced in this email.
- Report any suspicious messages that claim to be from UMass Amherst or contain a suspicious attachment or link to [email protected].
- Delete the message.
If you responded to a suspicious email
- Contact your financial institution. Report the content of your email and your actions to the security or fraud department.
- File a police report. Contact the UMass Police Department at (413) 545-2121 or your local police department.
If you have already provided your IT Account information in response to a phishing email, your account may be disabled (all accounts that display signs of suspicious activity will be frozen). It is critical that you:
- Contact the IT Help Center to report the incident and get your IT Account re-instated (if applicable).
- Change your IT Account password immediately in SPIRE. If your IT Account has been disabled, you will create a new password when you re-activate your account.
- Change the passwords to all online accounts that may have been compromised.
- Report the message to the Federal Trade Commission at [email protected] or through their online form and to any organization impersonated in the email. You can also report the message to the Anti-Phishing Working Group at [email protected], a group of Internet Service Providers, security vendors, financial institutions, and law enforcement agencies dedicated to fighting phishing.
Never email your personal or financial information
Email is not a secure method of communicating sensitive information. Remember that legitimate financial institutions never ask for sensitive information via email.
Review your credit card and bank account statements
The best way to monitor activity on your financial accounts is to carefully inspect your credit report every year. Federal law requires the nation’s major credit reporting companies to give everyone a free credit report every 12 months. Once you have your report, look for inaccurate information or unfamiliar accounts.
Check your bank and credit card accounts for any suspicious activity or unauthorized charges. Sign up for online statements if you do not already receive them to get the latest information.
Use caution with tax information
From the Internal Revenue Service: “Scams can be sophisticated and take many forms. We urge people to protect themselves and use caution when viewing emails, receiving telephone calls or getting advice on tax issues. […] Keep your personal information safe and secure. Taxpayers should protect their computers and only give out their Social Security numbers when absolutely necessary.”
Use email etiquette
To ensure that your email isn’t mistaken for an infected message:
- Always include a clear, descriptive subject for your email.
- Consider using a signature, your name and contact information, on your email.
- Always include a mention of the attachment and a description of why you are sending it in the body of your email.
Use security best practices
- Use a unique password for each of your online accounts. Many people reuse a favorite password for multiple accounts, but if one of these accounts is compromised, they will all be at risk of data breach.
- Run a full virus scan of your computer every month. To detect the latest viruses, you must use a current version of your anti-virus software and keep it updated. We offer anti-virus software free of cost to members of the University community.
- Update your device’s operating system with the latest security patches, including your mobile operating system. Use Windows Update (Windows) or Apple Software Update (Macintosh) and enable automatic updates to receive security patches as soon as they are released.
- Keep your software updated, especially your Web browser, mobile operating system, Adobe Reader, and Flash Player. Use Secunia PSI to scan and patch outdated programs.
- Only use approved storage applications for sensitive data and institutional information. Third-party applications like DropBox or a personal Google account are not appropriate storage or transmission methods for institutional information. See Requirements for Storing University Data for more information.
- Do not “jail-break” your smartphone while you are a member of the university community and connect to the campus network.
