A bunch of us have gotten it. An email saying that your email account is going to be suspended unless you verify your username and password. An Amazon purchase confirmation for something hella expensive that you never ordered. A vague notification that someone has shared a file with you. Or the classic work from home job offer that only requires 4 hours and pays $400 a week. Enough hackers! We’re tired of you trying to steal our money and personal data. You are canceled!

The Unforgivable Offense – Being Totally Fake

Phishing is when criminals use fake emails, social media posts, or direct messages with the goal of luring you into clicking on a bad link or downloading a malicious attachment. If you click on the link or file, you may end up handing over your personal information to cybercriminals, like your username and password, or unknowingly installing malware onto your device. From there, they can steal your money, lock your device and demand a ransom to release it, commit identity theft, or steal the data of others you know (or even try to infiltrate University servers).

Spotting the Poser

Once you know what to look for, you can spot a phishing attempt and outsmart it. The signs can be subtle, but if you just take a moment (like, literally 4 seconds) to consider whether the email looks legit before clicking, you can spot a phishing email’s true colors.

Here are some questions to ask yourself:  

• Does it contain an offer that’s too good to be true?  
• Does it include language that’s urgent, alarming, or threatening?  
• Is it poorly written, riddled with misspellings and bad grammar? 
• Is the greeting ambiguous or very generic?  
• Does it include requests to send/submit personal information? 
• Does it stress an urgency to click on an unfamiliar hyperlinks or attachment? 
• Is it a strange or abrupt business request? 
• Does the sender’s e-mail address match the company it’s coming from? Look for little misspellings like pavpal.com or anazon.com. 

Did I Ask You?! No? Then Buh-Bye!

It’s not that companies and websites never ask you for your login credentials or personal information. Obviously, you don’t want any Joe Shmo to get access to your accounts. The important thing here is did you go to them, or did them come to you?

If you went to the website, go ahead and log in. If you call the Help Desk or a customer service department, they will rightly ask you for info – but never your password – to verify it’s you. If you order something, you’ll get an order confirmation a few seconds later.

On the other hand, if you get an unexpected email asking you to provide your information, then that’s mad suspicious! Pitt IT messages won’t ask you to verify your username and password. (At most, they’ll refer you to a service that may require Pitt Passport authentication.) They already know that! Also be very suspicious of an order confirmation or shipping notice for something you didn’t buy. Know that government organizations usually contact you by postal mail – especially for an enforcement action. Assume that job offers for a position you didn’t apply to or a notice that you’ve won something you didn’t enter to win are fake! Bottom line, be wary of unexpected or unsolicited communications.

Check the Source Before Assuming Anything

Still not sure if that email is a scam? Go to the source. If something fishy came from Pitt IT, call the Technology Help Desk to ask if it’s legit. If you get an email from a business, go directly to the site (as in – type in the URL, use a bookmark, or google the company – DO NOT USE THE LINK IN THE EMAIL). Log into your account to verify purchases or call their customer service department about a problem with your account.

Don’t use contact info listed in the message – email scammers provide fake contact details to reel you in! If there isn’t enough information in the email (without clicking on links or attachments) to know who the sender is or you can’t find the company or organization online, you are in major RED FLAG territory! When in doubt, assume it’s a scam.

Time for Phishing to Get Cancelled

Once you’ve done the hard part, which is recognizing that an email is fake and part of a criminal’s phishing expedition, it’s time to take action! First and foremost, don’t do what the email says. Do not click on any links – even the unsubscribe link – or reply back to the email. Don’t click on or open any attachments. Just REPORT and DELETE.

If the email came to your Pitt email address, REPORT it to Pitt IT Security immediately. It just takes a second. Simply send the email as an attachment to phish@pitt.edu. (This is different than forwarding the email. Start a new Outlook message and then click Attach File > Attach Item > Outlook Item and select the message.) Then, DELETE the suspicious email.

If the email came to your personal email address, you can report it to the email platform. Here are  instructions for reporting a phishing email on Outlook, on Gmail, or on Mac Mail. You can even report a phishing attempt to the Federal Trade Commission here.

Be a Cyber Justice Warrior

Cybercriminals like to go phishing, but you don’t have to take the bait. Don’t let hackers get the best of you. Know the signs of phishing, pause a few seconds to consider whether a message is suspicious, verify information before clicking, and report and delete suspicious emails. Together, we can make sure that scammers get blocked and ignored … as they should be!

-- By Karen Beaudway, Pitt IT Blogger