What is phishing?
Phishing is a technique identity thieves use to steal your personal information, usually passwords or financial information. Like a fisherman using a lure to hook a fish, identity thieves try to lure you into giving up personal information by making what looks like a legitimate request from an organization you trust. These might look like they are from a bank, credit card company, or even the University. Unfortunately, phishing scams can be highly effective.
Phishing can be very easy to spot or it can be surprisingly subtle: when you receive an email or phone call from an institution you don't do business with, it is easy to recognize the message as a scam. However, sophisticated phishing attempts use emails and phone calls that are crafted to look and sound like an official message from your bank, credit card company, or the University of Illinois.
Increasingly, phishing messages do not ask for you to respond with your information by email. Instead these messages have links that look like they will send you to a legitimate site, but instead send you to a copy designed to steal your personal information. To be safe do not click on links in the email; visit websites by typing the web address directly into your browser's address bar.
It is important that you learn to spot phishing attempts - no matter what they look like - to protect yourself and your personal information.
What should I do if I spot a phishing attempt?
First and foremost, do not click any links or reply back to the email. In most cases, just receiving a phishing email doesn't put you in danger. When you spot a phishing email, you can simply delete it.
If you receive a phishing email claiming to be from the University of Illinois or a staff/faculty member, you can simply delete it, or you can inform Tech Services by forwarding it as an attachment to email@example.com. Their system looks at the message and determines whether it's spam, and then adjusts to keep it from spreading to other people's email accounts. Here's how to forward an email as an attachment.
If you receive a phishing email in a personal email account you can report it by forwarding phishing emails to the FTC's consumer-facing address - firstname.lastname@example.org - and to the company, bank, or organization impersonated in the phishing email.
You can report phishing email sent to your personal account to the Anti-Phishing Working Group at email@example.com or to the United States Computer Emergency Readiness Team (US-CERT)
It's possible to fake caller id information, so do not trust a call just because you recognize the number. If you are not sure a phone call is legitimate, do not give out any information. You can confirm whether a phone call is legitimate by calling the organization back at a known good phone number.
Read through Tech Services' "How to Spot Phishing" guide: http://techservices.illinois.edu/security/phishing
See past phishing attempts targeted at the university: http://publish.illinois.edu/phishingalerts/
Visit snopes.com to see if the suspect email is on their list of known phishing scams.
Take this quiz to see if you can correctly guess whether emails are legitimate! (Quiz provided by SonicWall, an enterprise security company.)