Phishing

IMSS will never ask you for your password in an email. If a suspicious email is received please notify the security team.

Phishing is a scam by which an email user is tricked into revealing personal or confidential information, which the scammer can use illicitly. Phisher scams can be designed to target large groups through phishing campaigns, or they can be specifically targeted to particular groups or individuals. Targeted phishing campaigns are known as spear phishing.

Phishers tend to be motivated to launch a campaign for a couple of reasons, particularly:

  • as a means of stealing data from the victim (typically login credentials and other personal information) for later use
  • as a means of installing malicious software on the victim's computer

Spear phishing
Spear phishing is a targeted form of phishing. A spear phisher has conducted research on the intended victim or victims, and then uses that information in the email to increase the chances of tricking the user. In a spear phishing campaign, the goal is more likely to be remote access and control over the victim's computer.

Protect yourself

  1. Be wary of emails asking for confidential information. IMSS will never ask you for your password.
  2. Don't be intimidated into revealing sensitive information like passwords and user names. Phishers will use different ruses that could include making false claims of a data breach, or threatening to delete accounts in order to get a victim to "verify the account" by providing sensitive information.
  3. Generic-looking requests for personal information are most likely a scam. Most phishing campaigns are designed to reach as many victims as possible. To that end, the scam email will avoid including user-specific information.
  4. Never submit confidential information via forms embedded within email messages.
  5. Avoid clicking links within an email message to connect to a web site. Instead, open a new browser window and type or paste the URL directly into the address bar, or use your existing bookmark to access the site. Many mail programs allow you to "hover" your mouse pointer over a link, and will show you the URL (web address) for the site the link is pointing to. There is sometimes a big difference between what the link says, and where it actually takes you. Always check the address bar in your web browser to confirm what site you are on.
  6. Bear in mind that sender addresses on email messages can be easily falsified. Don't assume that just because the sender address on an email message says it came from, e.g., help@caltech.edu, or antifraud@irs.gov, that is where it really originated. Examining the full message headers on an email message (see #7 below) can help you determine where a message really came from.
  7. If you suspect a phishing scam but aren't sure, or the scam message claims to be from Caltech, send a copy of the email to security@caltech.edu. Please be sure to include the full message headers or "raw source" of the email message, so that we have as much information as possible. Instructions for displaying full message headers using a variety of email programs can be found here (www.spamcop.net/fom-serve/cache/19.html).
  8. Avoid reusing passwords. If you are successfully tricked into exposing your password to a scammer, the attacker will try that password on other sites to see if it works there. For example, they may check to see if you have a Facebook account, and try the password there. If your password for some other site is obtained, and your account has your Caltech email address associated with it, the attacker will try to use that password to get into your Caltech account as well.

Examples

Some examples of phisher scam attacks against Caltech personnel can be found here.

Can you tell the difference?

There are several good self-tests to help you practice distinguishing between legitimate messages and phish. Some examples:

OpenDNS Phishing Quiz
SonicWall Phishing IQ Test