Email and Phishing
Email is convenient and easy, but have you considered the risks to your confidentiality and privacy when using email?
Email is protected under the Electronic Communications Privacy Act but having a law does not guarantee that email text is secure. In fact when working in email, there should be no expectation of confidentiality or integrity, and sending or soliciting Personally Identifiable Information (PII) should be avoided.
Personally Identifiable Information (PII)
"Any information about an individual..., including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information this is linked or linkable to an individual, such as medical, education, financial, and employment information." -- NIST (http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf)
Examples of PII
- Full name
- National identification number
- Driver's license number
- Face, fingerprints, or handwriting
- Credit card numbers
- Birthdate
- Birthplace
- Genetic information
- Education records
- Health records
Tips for emails containing PII
- Never send Personally Identifiable Information (PII) over email. Communicate this type of information over the phone or sealed postal mail.
- Never ask anyone to send confidential information to you over email.
- If someone sends you PII voluntarily through email:
- If you need to respond, create a new email instead of replying so that you do not re-transmit the PII in the quoted message.
- If you do reply, remove the PII from the quoted text before sending.
- Delete the email that contain the PII and if needed have the email re-sent without the confidential information.
- Putting confidential information in a PDF attachment or other unencrypted format is not a secure practice and does not protect confidentiality.
Please forward any emails that contain a phishing attack to phishing@calvin.edu. Forward as an attachment.
Phishing
Phishing is defined as the fraudulent practice of sending emails claiming to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers. Phishing attacks can be very sophisticated and targeted containing specifics pertaining to an individual or a group. Criminals who engage in phishing tactics are hoping to lure people not unlike real fisherman using enticing bait with a nasty hook. The scams propagated often prey on fears or other human emotions that can be manipulated.
Indicators of a phishing email
While not all phishing emails are immediately identifiable, there are some indicators of a phishing email:
- May have poor grammar
- May include spelling errors
- Tone is characterized by urgency ("Respond within 24 hours or your account will be cancelled.")
- May ask for personally identifiable information like usernames, passwords, account numbers, etc.
- May contain web links to fake websites that look very similar to the sites they are falsely claiming to be
- May contain official logos and use legal jargon
- May include an attachment that the receiver is enticed to open
- Is often unexpected and out of the norm of normal communications
- May read like a generic message ("Dear Member/ User") or can be very specific including receivers name
- Email address is not a good indication of whether or not an email is legitimate. Email addresses can be "spoofed" or faked and phishers can put any email address and/or name in the From field. If the email is out of character or unexpected, be suspicious.
- Formatting/branding is not a good indication of whether or not an email is legitimate. Logos and other identifiable branding pieces from banks, retail stores, and credit card companies could easily be included in a phishing email. When in doubt contact the institution or company with a trusted phone number or by logging directly into your account from their website. Do not use any phone numbers or links in the email.
- Reputable organizations will never ask for account information via email (username, password, SSN, credit card number, etc.). Contact the organization directly if you are in doubt.
- Never click on links in suspicious email. Use a browser to navigate to the correct website.
If you suspect an email is a phishing scam, it probably is!
What to do if you fallen for a phishing scam
- Act immediately if you have been scammed. Contact the FTC's ID Theft Clearinghouse and report fraud to the National Consumers League.
- Contact the company who was targeted and inform them that you think you've fallen for a phishing scam. If you still hate the email or web page used, report that to the company as well (forward the email as an attachment so that all of the data is included).
- If you've given out your bank account number or credit card, report the incident to your bank or credit card company to have the account closed. The sooner they know, the better they can help to protect you.
- Contact the credit bureaus and have them place a fraud alert on your account. This informs potential creditors they must take extra precaution when issuing credit in your name.
- Change any passwords associated with the phishing attack and any other accounts using the same password.
When to contact the HelpDesk
Forward emails that contain a phishing attack by explicitly asking you to respond with any of the following information (forward as an attachment to phishing@calvin.edu):
- Username and password
- Social security number
- Account number
You do not need to contact the HelpDesk or forward emails that contain spam/junk including:
- Advertisements
- Requests for a response such as "I came across your profiles and really want to chat."
- Bounce messages for emails that you did not send
- Random or unsolicited job offers
- Messages that inform you that you have won a lottery or are inheriting a large sum for overseas
- Messages with attachments
Learn from a simulated phishing email
Pacific Northwest National Laboratory (U.S. Dept of Energy) had produced a simulation phishing email that contains many of the items discussed above. It is a learning tool you can use to familiarize yourself with phishing email indicators. email. https://www.pnnl.gov/coginformatics/showcase/simulation/phishing/phishing.html