A Deeper Dive: All About Phishing

If you’ve been on the internet for very long, you have probably heard the term ‘phishing.’ Phishing has always been a problem for users of the internet. One of the most well-known phishing scams, the Nigerian prince scam, first showed up in 1922, believe it or not, in the form of a fraudulent letter.

It may seem like phishing is easy to spot and ignore, but it continues to be a huge issue in the information security community. According to Infosecurity Magazine, phishing was found to be the most effective mode of hacking in 2017, with 90 to 95 percent of all successful attacks taking this form. Forbes reported that researchers found an average loss of $500 million per year due to phishing between 2013 and 2016.

Another type of phishing scheme is the business email compromise (BEC), otherwise known as spear phishing (we love our extended metaphors). This is a more targeted form of phishing (think: one sharp spear, instead of a fishing net) that goes after personnel that have access to important files like social security numbers, account routing information, or W-2 forms. As you may imagine, this form of phishing is infinitely more dangerous, especially if the hackers successfully impersonate an executive with more power. In just 2016 alone, BEC scams were responsible for a combined loss of $5.3 billion, a significant jump from 2015's numbers of $3.1 billion.

In other words: We need to stay vigilant.

Here at Miami University, we have seen plenty of examples of phishing come through. Often, these kinds of emails will be sent from a non-Miami account and will contain one or more grammatical errors. Here is a checklist of steps you can take to determine whether or not the fishy email you just got is, indeed, ‘phishy’:

• Who is the email from? If the signature indicates that the missive was sent from someone at Miami, but the actual “from” box doesn’t match the @miamioh.edu server, that’s suspect.
• What does the email want me to do? If someone is asking you to provide personal details, such as Social Security numbers or bank account routing information, chances are it’s a scam. That goes double if it’s the University president requesting this data. We promise, President Crawford will never (ever) ask for your SSN via email (or otherwise, for that matter).
• Check the grammar. Oftentimes, these emails are written poorly, riddled with typos and grammatical snafus.

If you’re still not sure, contact someone on the InfoSec team and we’ll help you out.

When you are in doubt, remember: 

STOP: Don't click on any links!

VALIDATE: Do you recognize the sender? Were you expecting this email?

DELETE: If you don't need it or didn't ask for the message, just delete it!