Protect Against Taking the Phishing 'Bait'

By Cindy Brauer

Along with death and taxes, “phishing” seems to be another inescapable fact of modern life. These malicious attempts to trick people using a computer or electronic device into providing sensitive information can result in serious consequences, including financial loss, identity theft, damaged reputations and compromised computers files.

Phishing is a significant online fraud threat to everyone, cautioned David Matusiak, information security manager for The Scripps Research Institute (TSRI), at a recent Cyber Awareness Workshop, sponsored by TSRI’s IT Services.

Matusiak outlined specific threats from phishing attacks, including:

• Sending spam or viruses from the user's email account
• Accessing anything on the user’s computer, including keystrokes, screen captures, documents, data, username/password combinations, financial information, social security numbers, etc.
• Stealing money from the user’s online bank or credit card
• Impersonating the user online or in the real world (identity theft, against which the victim has no federal protection)

Of particular importance to researchers, said Matusiak, is the threat of an attempt to log into servers to copy, change or delete research data and even change system passwords.

How Phishing Works

Phishing attacks initially occur through email. The message is usually an urgent notice—for example, that the user’s email will be disabled, a bank or credit card account has been hacked or a package is waiting for pick-up. Users are asked to confirm their identities or verify usernames and/or passwords by clicking a web link in the message or downloading an attachment.

The link generally redirects the user to what appears to be an authentic website, but is actually a malicious site that collects user’s log-in or account data. Malware downloaded to the user’s computer can provide access to additional data and functions.

Log-in information for online browsers, credit card accounts, online purchase sites (e.g., Amazon, eBay, PayPal) and social media accounts (Twitter, Facebook, etc.) are common phishing targets, said Matusiak.

Detecting a Phishing Attack

Defending against a phishing attack requires awareness.

“Be suspicious if an email is unexpected and from an unknown, strange email address,” said Matusiak.

Other clues pointing to phishing attempts include a generic greeting (“Dear Banking Customer”), unusual subject line (“You have (1) New Message”), dire warnings or threats, misspelled words, poor grammar or legal-appearing language, such as a copyright notice by the supposed sender.

Matusiak suggested hovering the cursor over the web link in a suspicious email to see if it points to an unusual web address. “For example, if the email is supposed to be from Citibank, but the web link actually begins with ‘bankinfo.citibankingplace.com,’ you know it is not legitimate.”

In addition, every reputable web site, particularly when dealing with purchases or sensitive information, displays a small green lock icon and “HTTPS” in the URL address bar.

Use common sense and be suspicious “to a healthy degree,” Matusiak advised.” If you can clearly identify the email as fraudulent, then simply delete it. If you see a very well-crafted or novel phishing attempt, forward it to nospam@scripps.edu for our team to evaluate. And if you are not sure if a message is phishing, then reach out to your IT Help Desk.”

TSRI Help Desk information is available at on the IT Services website.

Send comments to: press[at]scripps.edu