Purdue signature

September 4, 2013

Seven tips to help identify a fraudulent ‘phishing' email

WEST LAFAYETTE, Ind. — More and more sophisticated phishing attempts have led to an increase in the number of individuals at Purdue falling victim to email scams.

Purdue is able to flag compromised accounts using automatic systems to detect when large volumes of identical emails (1,000 or more recipients in 15 minutes) are sent out. During a three-week timespan in July, those systems stopped more than 30,000 SPAM messages from being delivered to more than a million people, said Mike Rubesch, associate vice president of IT infrastructure services. Rubesch also says those security measures likely prevented all @purdue.edu email addresses from being blacklisted as a SPAM source by various email hosting services. 

But not all attacks can be prevented. A recent survey released by Halon, an IT security and infrastructure company, found that nearly 9 percent of Americans who received emails containing a virus, spyware or malware opened the attachment and infected their computer.

"Every day these emails become more targeted and polished, which is why more people are falling for them," says David Shaw, chief information security officer at Purdue. "The emails might feature a familiar company's logo and brand, or the link might redirect someone to a site that imitates the appearance of a real website. As soon as you log in to one of these spoofed sites, a hacker can view your login credentials and access a number of secured systems before you realize your security has been compromised."

So how can you distinguish good emails from bad? Below are seven questions to ask when browsing your inbox, which serve as general guidelines for identifying phishing attempts. The more red flags you see in an email, the more likely it's not legitimate.

1. Does the message contain general salutations and signatures? Most phishing attempts begin with generic phrases like "Greetings valued customer," or "Dear account user." Most legitimate companies, on the other hand, will include an intended recipient's name in their correspondence. Another indication of a phishing attempt is a general signature at the end of the message, such as "Messaging Group."

2. Are the URLs legitimate? Emails containing Web links should always be questioned. One way to verify a link's legitimacy is to hover your mouse cursor over embedded links and make sure the link uses encryption (https://). Also, if the link in the text isn't identical to the URL displayed as the cursor hovers over the link, that's a sure sign it's taking you somewhere you don't want to go. Another best practice: open a new browser window and visit a site directly by pasting in its Web address, or URL, rather than simply clicking the link in an email and going wherever it takes you.

3. Is the sender requesting personal information? Providing personal information through email or by phone in response to an unsolicited request is always a bad idea. Messages soliciting passwords, Social Security numbers and other personal information are scams.

4. Is the email asking you to take immediate action? Hackers want you to respond without thinking. Phishing emails might even claim a response is required within a short timeframe because your account has been compromised. Watch out for language directing you to update an account, download an attachment, visit a website, provide personal information, etc.

5. Does the message contain suspicious attachments? Legitimate organizations, including Purdue, rarely send attachments via email. Opening attachments can cause automatic malware downloads or lead to compromised personal information. High-risk attachment file types include: .exe, .scr., .zip, .com, .bat.

6. Is the email making promises that seem too good to be true? Then they probably are. Any message offering to put money in your bank account with a single click is a scam.

7. Are there misspellings or typos? An email from a legitimate organization should be well-written. Grammar and spelling mistakes are red flags.

Individuals who recognize a phishing message should delete the email from their inbox and then empty their deleted items folder to avoid accidentally accessing harmful links, Shaw says. Individuals also can report a phishing scam attempt to the company that is being spoofed, or notify their company or institution if the email is delivered to a work or academic account.

Writer: Andrea Thomas, 765-496-8204, thomas78@purdue.edu 

Sources: Mike Rubesch, associate vice president of IT infrastructure services, 765-496-8308, mrubesch@purdue.edu

David Shaw, Purdue chief information security officer, 765-496-8289, shaw46@purdue.edu 

Related websites:

SecurePurdue website