Email Security

When using email, it is difficult to know with certainty with whom you are communicating. Scammers utilize this uncertainty to pose as seemingly legitimate businesses, organizations, or individuals by spoofing email addresses, creating fake websites with legitimate logos,  and even providing phone numbers to illegitimate customer service centers operated by the scammers in order to gain the trust of users. If a scammer is able to gain the trust of victims, he or she can leverage this trust to convince victims   to willingly give up information or to click on malicious links or attachments. Being mindful and observant can help you defend against scammers’ deceptions by being prepared and proactive.

Two Common Types of Phishing Attacks

•   Phishing scams are perhaps one of the best-known   forms of email scams. Typically, this type of scam involves a scammer   pretending to have a fortune that he or she is incapable of accessing without   the help of someone trustworthy, which happens to be you! The scammers try to   obtain the user’s financial information using an empty promise of sharing the   wealth in exchange for help.
•   Spear-phishing. Spear-phishing is a targeted and personalized attack   in which a specific organization or an individual is  targeting. These attacks utilize   any information about user that they can find.  Is your Facebook profile public? Are you on   LinkedIn? Do you have a Twitter? A scammer may use a fake email address to   pose as a friend and include personal details (found on one of your online   profiles) in the email to entice you  to either divulge sensitive   information or download a malicious file. This often requires a lot of   information-gathering on the targets, and it   has become one of the favored tricks used in cyber espionage.

Be Mindful

When it   comes to phishing, the best line of defense is you. If you are mindful   of potential phishing traps and are cognizant of the telltale signs of a scam,   you can better defend against  phishing attacks. Here are some   easy tips to protect yourself:

•   Be cautious of all communications you receive, including those purported to be from “trusted entities,” and be careful when clicking links contained   within those messages.  If in doubt,   do not click.
•   Don’t respond to any spam-type emails. Often replying to the email may trigger   another phishing attack or malware download.
•   Don’t send your personal information via email. Legitimate businesses—including Towson University—will  never ask users to   send sensitive personal information through email.
•   Don’t input your information in a pop-up; if you are interested in an offer that you see   advertised in a pop-up ad, contact the retailer directly through its   homepage, through a retail outlet, or through another legitimate contact   method.

Be Observant

Scammers rely   on deception to entice users to do what the phisher wants. Their deception is based upon resembling legitimate sites or trusted sources. These phishing scams can be very realistic and difficult to identify. However, there are some telltale signs that may indicate a phishing scam. By being observant, you can help minimize your risk of becoming a victim. Keep an eye out for these simple, telltale signs of a phishing email:

•   The email has poor spelling or grammar.
•   For secure transactions, look for a lock icon in the URL. This indicates that the web  site is using https – an encrypted protocol – to send your sensitive information, ensuring that scammers cannot intercept it.
•   The use of   threats or incredible offers is a common tactic that tries to elicit an emotional response to cloud the user’s judgment. Ask yourself, “Is this too good/bad to be true?”
•   The URL   does not match that of the legitimate site. Scammers cannot use the same URL associated with the legitimate websites, so they will tweak the address of their spoofed websites so that the websites look legitimate at a quick glance.
  • The URL may use a different domain name (For example, bankofamerica.com vs bankofamerica.net)
  • The URL may use variations of the spelling of the actual address (For example, bankofmerica.com)

Be Aware of Attachments

Don’t trust a file based on its extension (e.g. A “.doc” file means it is a Microsoft Word document). There are a variety of tricks to hide the nature of the file (the “.doc” could actually be an “.exe” – an executable file that could be malware). While the simplest solution is to not download a file from an unknown user, below are some additional things you can look for:

•   Be cautious about double file extensions. One way the extension can be hidden is by   adding a second extension such as “Evil.pdf.exe” so that is looks like a regular PDF, with the .exe hidden.
  •   To help spot double extensions, turn off the “Hide extensions for known files” option   on your computer’s operating system. See: http://support.apple.com/kb/PH10845 for Mac, http://support.microsoft.com/kb/865219 for Windows.
•   Be wary of   container files such as “.zip” files. Any number of files can be packaged inside, including malicious ones!
•   Beware of attached   files. Malicious codes can also be embedded in commonly emailed files such as “.doc” and “.pdf”, giving you another reason why you should only open attachments from trusted sources.
•   Do not open executable files.  These are files which have an “.exe” extension. These files run commands, which could download viruses or other malwares.

Also, make sure you have an up-to-date, antivirus software program installed.  Enable the feature to scan attachments with the anti-virus program before downloading and saving them to your computer. The Towson University Office of Information Security recommends downloading Microsoft Security Essentials for Windows Systems. Download it here: http://windows.microsoft.com/en-US/windows/security-essentials-download.

Lastly, performing regular updates on your computer and programs can help prevent malicious downloads often contained in   phishing messages These include:

•   Making sure Windows Update is turned on.
•   Making sure your antivirus is set to automatically update and scan your system.
•   Making sure your programs are up to date. Generally program updates include security updates which may block well-known phishing websites and embedded malicious codes. Common programs that require regular updates include:
  •   Adobe Reader
  •   Your browser: Mozilla Firefox, Internet Explorer, Google Chrome, etc.

For More Information about Email Phishing Scams

•   FTC’s Identity Theft Website:
www.ftc.gov/bcp/edu/microsites/idtheft
•   AntiPhishing Work Group: 
www.antiphishing.org
•   Microsoft – Recognize Phishing — www.microsoft.com/security/online-privacy/phishing-symptoms.aspx
•   Sophos – Dealing with Spear Phishing Campaigns – www.sophos.com/en-us/support/knowledgebase/37179.aspx