A phishing email is one that tries to trick you into revealing sensitive information. The name “phishing” is given because the attackers are “fishing” for information.
Sometimes these details can be used directly to cause harm or loss, like usernames and passwords, or credit card numbers.
Sometimes the harm is less obvious – revealing your name and address may not seem very significant, but together with other bits of information may allow identity theft. The most common use of a stolen identity is to apply for a loan, pretending to be the victim.
How to detect phishing emails:
- They are unsolicited – you didn’t ask for the email, or you’re not expecting one from that sender.
- They don’t give any indication that they know who you are – there is no reference to personal information that the legitimate sender would know.
- There is no contact information for the sender – legitimate messages will provide a way for the recipient to validate it (often by phone).
- If you’re instructed to follow a link in the email, the destination doesn’t match the link text. This is an example: www.google.com [The link actually goes to www.otago.ac.nz]. Most email programs and web browsers will display the actual destination of a link in a popup box (hold the mouse over the link for a moment), or in the lower left corner of the screen.
- Other people (your colleagues, friends, or acquaintances) have received similar emails. Phishing is often done in batches to groups of similar people.
- Often the message indicates prompt or urgent response is needed. e.g. “Verify your account now or it will be deleted.”
What you can do:
- Critically evaluate any email that requires you to reveal personal information, paying particular attention to the warning signs listed above.
- Contact the sender to verify the request. Look up their contact details independently of the suspicious email (e.g. Using their corporate website or a phone directory).
- Get a second opinion about the validity of an email. Your colleagues and friends are a good source of help – in general over 99% of recipients are able to detect when an email is fraudulent. University of Otago staff and students are welcome to ask the ITS Service Desk (firstname.lastname@example.org) for an evaluation.
- If you’re uncertain about responding, don’t respond. Ask someone else, or an IT professional for their opinion.