Close

RITE

Resources for Information Technology and Education

Information Security

Security Awareness Tips:

RITE Resources for Information Technology and Education

Information Security

Phishing Resources

Phishing is, at it's heart, a con. Someone who is phishing via email wants something that you have, or something of value to which you are electronically connected. Organizations like AAA, your credit card institution, and others sell your information legally, by first disclosing to you that they will sell it. So it makes sense that someone who can't do it legally, would want to steal it, and then sell it, or use it another way.

Simply put, phishing is a type of con perpetrated on individuals and organizations with an end goal of stealing usernames, passwords, credit card information, Social Security Numbers and more. This is done by pretending to be a trustworthy person, a familiar person or entity (e.g., Amazon, Best Buy, Your Bank), a member of your organization, or your boss, in order to: steal identity (i.e., run up credit card debt, open new accounts), steal money (i.e., change payroll direct deposit information), send spam from your account (i.e., remember the recent SUNY Google Docs event), or use your credentials to access other campus systems giving them a plethora of private information about you, your colleagues, students, and campus accounts. Phishing has been around for a long time, but now we are in the electronic age. See this great example.

What's spear phishing? That's when someone targets you personally with a con. When something is carried out with the end in mind, there is a lot of planning that goes into the activity. Information you post on Facebook, Twitter, Instagram, LinkedIn, anywhere on the web, can be mined by criminals who can easily pose online as an old high school pal, a parent of your child’s friend, or whatever warms your heart.

Here are some guidelines for now. At the bottom of the page, I have some links to youtube video you can show your class.

What can prevent success in a majority of email phishing attacks? Stop. Read. Think: Is this a legitimate email?
The email may look official, but something is phishy about it.
Step 1: Report it! --by forwarding to the RITE Support Desk (RSD)
Step 2: Delete it!
For examples of real phishing email received at Buffalo State, see our Information Security Blog about Phishing.

If it's not expected, it should be rejected!
Scenario: Suddenly an unexpected email appears from Amazon telling you something is URGENT and to click here... . Replace Amazon with “Support Desk,” “President’s Office,” “United Nations,” “IRS,” or anything else. It’s Phish!
Step 1: Report it! --by forwarding to the RITE Support Desk (RSD)
Step 2: Delete it!

Not sure? Discover by Hover
Scenario: You receive email that claims to be from the IRS. They supply a link for you to click on. You use your cursor to hover over the link, not to click on it. This is where you’ll see the actual link address. For instance, hovering may reveal www.merry-dotmoo.com. The IRS' domain is .gov, not .com. You can be quite certain that the IRS does not use a domain called moo.com, or merry-dot.com Even if you think they might, there is still doubt in your mind. C'mon, this is phish!
Step 1: Report it! --by forwarding to the RITE Support Desk (RSD)
Step 2: Delete it!

Ensure the Link is not from a Fink
Scenario: You receive an email that looks like it’s from the RITE Support Desk. It tells you to click on a link to reset your Blackboard password. You’re busy so you just click on the link. You go to what looks like the login page to the official Buffalo State LMS (learning management system). But it’s a phony. You stop and think that maybe that email wasn’t from the RITE Support Desk. Take a look at the URL (link). Instead of reading: "https://buffalostate.opensuny.edu/"…. The first part of the URL reads www.buffalotate.net.com/… Stop, read, think! The "https" is missing, the site is not secure. Buffalo State is spelled wrong, and what's up with that .net? It's phishy!d
Step 1: Report it! --by forwarding to the RITE Support Desk (RSD)
Step 2: Delete it!

Don’t Put Protected Information in Email!
(if you have an effective rhyme for this, please email)
Scenario: you receive an email that looks like it’s from Buffalo State Human Resources asking for your bank account number and routing number because your direct deposit information is wrong.
Don’t send your password, social security number, bank account information, Banner number, health information, or any private/protected information data via email. If you think it’s from HR, call them.
Step 1: Report it! --by forwarding to the RITE Support Desk (RSD)
Step 2: Delete it!

Scenario: you receive an email from John Podesta explaining that your email is compromised, or over quota. He wants your password to fix it.
Don’t send your password, social security number, bank account information, Banner number, health information, or any personal data via email. Don’t send anyone else’s personal information over email. See the blog post, about taking your laptop home, for more information.
Do not click on links in suspicious email.
Step 1: Report it! --by forwarding to the RITE Support Desk (RSD)
Step 2: Delete it!

Note: If you want to send a link to a colleague via email, paste the whole link, don’t embed it in a word. This way your colleague can see the url.

See these videos on Phishing. Share with your students! For hearing impaired, click on the "CC" on the bottom right of the video for closed captioning.
(you may have to skip an ad)
https://www.youtube.com/watch?v=5RHeJAEdiEc
https://www.youtube.com/watch?v=U7tbJVSInvo

This is a very good security awareness video that covers not just electronic security, and password sharing, it also covers physical security.
https://www.youtube.com/watch?v=2sh4BIaF6gg

See real examples of email received by Buffalo State employees.