ImportantIf you ever suspect you have fallen for a legitimate phishing attempt and provided personal information, account credentials or downloaded suspicious content, please contact your local academic technology teams or contact the IT Service Desk at 973-655-7971, option 1, or by email at firstname.lastname@example.org.
If the IT Service Desk is not immediately available, and you know that you used or provided your NetID account information (username and password) in response to a phishing scam, the most important step you can take is to immediately change your NetID password using the NetID Account Form at: https://netid.montclair.edu
Phishing is an email, phone call, or text message based attack that is sent with the intention of deceiving the recipient into providing information. The attacker can then use that information directly, such as bank account information, or indirectly, such as personal information that may provide hints about the recipient’s password.
- A few examples of methods used by attackers to deceive or “trick” recipients:
- Getting the recipient to click on a link that brings them to a fake website. The fake website asks the recipient to login in order to steal their username and password information
- Getting the recipient to download an attachment that contains a virus or malware
- Getting the recipient to buy gift cards or send money
- Getting the recipient to provide personal information such as banking accounts, credit cards, or social security numbers.
Some phishing attacks can appear as obvious and sloppy, using poor grammar and spelling. However, some people still fall for them. Other attacks are specific, personal, and may appear legitimate at first glance, making them much harder to detect.
The best thing you can do to avoid becoming the victim of a phishing attempt is to familiarize yourself with the common types of phishing attacks, be vigilant in looking for common signs of phishing, and if you believe you may have fallen for a phishing attempt report it immediately.
Forged Sender Address Phishing
An email message sent to you by an attacker who has registered a fake domain or fake email and sends out thousands of generic requests to random email addresses. This type of attack attempts to get you to click on a link, download an attachment, or provide personal information such as email and password, banking information, etc. These types of emails are usually very easy to spot because they use email addresses like email@example.com and frequently use weird grammar and spelling.
This type of attack is meant to trick you into believing that the email is legitimate. Attackers will attempt to impersonate a legitimate business and trick you into thinking you need to do things like provide information to keep your account safe or check on an order you purchased. What makes this email deceptive is that the email or website the attacker sends you to will appear as legitimate as possible. They will use company logos and attempt to replicate company looking email addresses such as firstname.lastname@example.org@gmail.com. The best way to detect these types of attacks is to reach out to the company through means you know are official by going to the company website via searching it in google and then emailing or calling the company to verify the situation.
Some attacks employ a personal touch in order to try and trick you. Spear phishing customizes the attack to make it appear more personal. Attackers may use public information from the university website or such as names and email addresses in order to trick you. They may find information via outside sources such as your LinkedIn or social media pages. The goal is always the same: to get you to give up personal information, accounts, money etc. A common type of spear phishing attack is one where an attacker will pretend to be someone who holds a higher position than you and ask you to run out and get gift cards for them because they are in a meeting and unavailable. The attacker will also use language to make it seem urgent and needed immediately due to some family emergency or something they forgot to do. Detecting this type of attack is much more difficult because the attacker is using information that seems at first glance to be legitimate and personal. Detecting this type of attack is much harder and one of the best attitudes you can use is to remember that emails are not urgent and you do not need to respond right away, or at all. Read the message thoroughly and pay attention to the sender name and email address. Real urgent matters require much more specific methods of being in contact such as phone calls or walking into your office and coming to find you personally.
Phone calls are another type of phishing attack that does not rely on email. Attackers use a VoIP (Voice over Internet Protocol) server to imitate legitimate organisations in an attempt to extort personal information. Common types of imitations include things like the IRS, banks, car companies, and different types of insurance. These attacks can be easy to detect because they usually are automated messages from unknown numbers. To protect against vishing, avoid answering phone calls from unknown numbers and do not give out personal information to an automated system that you are unsure of.
Smishing is using text messages to try and trick you into clicking on links and giving up personal information. Many legitimate services have started using text messaging to communicate such as UPS and FedEx for delivery and restaurants for tables/orders being ready. This makes it easier for attackers to trick someone via text message. A common type of attack using text is claiming that you have won a contest and requesting additional information or claiming to be a bank or credit card company. Ways to defend against this type of attack are: not clicking on links in text messages, researching the numbers texting you, and calling a known number for the company to validate the message.
Be on the lookout for common signs of phishing
Check both display name AND the email address. Attackers often attempt to distract the recipient from the false email address (email@example.com) by including a real display name (“Bob Jones”). They use publicly accessible directory information to appear to come from someone of authority such as your manager or the university president.
Prevalent spelling and grammatical errors. Legitimate business and marketing brands take communication seriously and legitimate emails usually do not have a prevalence of spelling mistakes or poor grammar.
False information such as department names. If you never heard of the “Office of Student Registration”, it is likely because it doesn’t exist. Check with the campus directory.
Requests to provide personal information or credentials via an email response or form. All central and distributed campus Information Technology resources are trained not to ask for a user’s personal credential information (i.e. password to your NetID account) nor should you provide it. Ever.
Do not trust links in email (or texts)
Attackers often include embedded links in an attempt to redirect you to a malicious site. The site could be a form asking for you to enter information, create an account, login using your credentials, etc. There are many different examples, however, they are all designed to steal important information from you.
Never trust embedded links (highlight text that appears as words and not a URL/site address) in an email or text message. Always check the full URL to see if it appears suspicious. Do not open/follow the link if you are not sure.
To check the URL of an embedded link:
From a computer, use your mouse pointer to hover over an embedded link to view the actual web address which should appear at the bottom of the browser window or in a pop-up.
From a mobile device running iOS (Apple) or an Android OS, you can evaluate embedded links by pressing and holding the link down with your finger or stylus. A pop up dialog should appear and then let go. The dialog should show the full URL of the embedded link and other options. Do not click “open” unless you know the link/URL is safe.
A safer approach is to manually type a known website into your browser. For example, if you receive an email purporting to be from your bank, use your browser to type in the address of your bank directly instead of clicking the link.
Do not trust attachments
If the attachment is unexpected or has a suspicious name or file extension, the sender’s account may have been compromised. Call the sender to verify the attachment before opening.
Do not call phone numbers listed in emails from unfamiliar senders
Reference a reliable source such as a billing statement or go directly to the company’s web site to obtain the number.
Assess the greeting
Was the greeting vague such as “Valued Customer”? Legitimate businesses that have your customer information will often use a more personal greeting with your first and last name.
Be mindful of the tone
Attackers typically attempt to create a sense of urgency to trick the recipient into thinking that they must take action immediately which also serves to distract you from assessing the legitimacy of the request.
Please note there are key differences between SPAM and phishing emails and if/how they should be reported:
SPAM is unsolicited email as related to advertising, service offerings, social or political causes, etc. SPAM will not typically ask you to provide any information or ask for your personal or account related information via a reply or upon clicking a link. SPAM can simply be deleted or you can mark the message as SPAM in Gmail or in your preferred messaging client. While it may be annoying to receive, SPAM is not generally considered an information security concern and does not need to be reported to the IT Service Desk.
Phishing is an email, phone call, or text message based attack that is sent with the intention of deceiving the recipient into providing information. Potential phishing emails are an information security concern, however, only if the recipient has reacted to the attempt by:
- Providing any information or credentials via email reply or clicking on a link in the email and submitting information to a web page or form.
- Downloading and/or opening any attachments in the email or downloading any files resulting from clicking on a link in the email.
If you only opened (read) but did not otherwise interact with a potential phishing message as described above, the message does not need to be reported to the IT Service Desk. If you are using Gmail, you can report the message to Google:
- While viewing the message, click on the three vertical dots on the upper-right of the message.
- Click “Report phishing”
If this does not automatically remove the email from your inbox, you may proceed to delete the email.
If you did interact with the message (i.e. click links, open attachments, or provide information), please see the first section above, “What to Do If You Believe You Have Fallen for a Phishing Attempt“.