Recognizing and Reporting Phishing
What is phishing?
Phishing is the top social attack on businesses, responsible for more than 90% of security breaches. Phishing occurs when a bad actor sends fraudulent emails, text messages, or Teams messages to convince you to disclose sensitive information, such as your password or credit card details, through your replies or by clicking on links. StationX, a top cyber security training and development platform, reports that 3.4 billion phishing emails are sent every day, accounting for 1.2% of all email traffic around the world. While not every unsolicited email is a phishing attack, it should be inspected for other suspicious elements that may help you identify if it's legitimate.
Identifying malicious emails
Here are some characteristics of a phishing message that will help you identify malicious emails:
- 鲍苍蝉辞濒颈肠颈迟别诲.鈥Be cautious of emails that you were not expecting to receive.鈥
- Often, unsolicited emails are from senders outside of the university. At OHIO emails originating from external senders will have an 鈥淓xternal鈥 tag in the subject line and contain a light-yellow band at the top of the message that reads: use caution with links and attachments.
- Too good to be true. If it sounds鈥痶oo good to be true, it probably is. Part-time job scams often offer to pay鈥痑n exorbitant amount of money for a simple task.
- Asking for personal or financial information.鈥疪eport emails asking for personal information. For example: the IT department would never email you with a link requesting you provide your university credentials to keep your account active.
- Deceptive web links.鈥疕over your mouse on the hyperlink to view its true destination. If you don't recognize it, don't click it.
- Variations of legitimate addresses.鈥疐or example, an email address ending鈥痠n @ohio-edu.org instead of @ohio.edu.
- Fake senders address.鈥Click the sender's name to view the email address, if the email address is not something you recognize from the alleged sender, proceed with caution.
- Requesting urgency.鈥疶he intention of urgency is to influence users to act quickly to prevent them from noticing suspicious elements.
- Fraudulent sites often don't start with HTTPS.鈥The "s" stands for secure. Never sign into websites that are not using HTTPS.
- Misspelled words and bad grammar.鈥Phishing emails often contain misspellings and grammar issues.鈥
The Phish Bowl
The Phish Bowl is a tool designed to promote phishing awareness by documenting campus-wide phishing messages that are reported to Information Security. There is no concrete way to prevent phishing attacks, meaning awareness is our strongest line of defense. As widely impacting phishing messages are reported, they will be posted on the Phish Bowl along with a verdict and a date. Phishing messages come in a variety of formats; be sure to check out the various different types of phishing messages posted to the Phish Bowl to see common phishing attempts the University receives.
Reporting phishing
To report a phishing message or ask for assistance in determining legitimacy, please forward the email as an attachment to security@ohio.edu. You can learn how to .
Additional phishing resources
Here at OHIO, the Information Security Office provides multiple resources to help identify phishing messages and prevent our community from falling victim to scams. Be sure to check out the resources below!鈥
- Our online video, , provides useful information about recognizing phishing emails.
- Learn more about
- Follow these鈥email best practices鈥痶o avoid crafting emails that appear to be phishing.鈥
- Request a鈥simulated phishing鈥痚xercise facilitated by the Information Security Office for your team or department to test their skills around identifying phishing messages.鈥
- Online IT Security Training鈥痶hrough Vector Solutions is free training that teaches the OHIO community tips and tricks on how to spot phishing messages.鈥 The course titled Cybersecurity Awareness for Educational Leaders: Safeguarding Against Social Engineering Attacks is a great way to learn more about these types of messages. Check out this on how to self-enroll.
- for a wide variety of educational resources to learn how to protect yourself, your family, and your devices.
What to do if you clicked on a link
If you clicked on a link or button in a scam email and entered your OHIO ID and password into the resulting site, you should change your password immediately. If you need assistance changing your password, contact the IT Service Desk at 740-593-1222 or servicedesk@ohio.edu.