It’s a play on the word ‘fishing’ where you use bait to catch a victim – in this case, it’s often through your emails but increasingly Phishing is being done via phone and SMS.
It involves an attempt to get you to take action to provide sensitive information such as passwords, bank account numbers or even attempts to affect your devices with malware or ransomware.
Phishing is based on social engineering and it’s become sophisticated! We’ve moved beyond the old style of multiple spelling mistakes and missing graphics claiming to need your bank account for the lotto win or inherited millions from someone you didn’t even know – generous, right! These days graphics look legitimate and the URL even looks like it belongs to the organisation it claims to be. But look closer; when you hover over the link, check the full URL, not just the first part.
Setting up and operating a phishing attack is fast, cheap and low risk (but we seriously don’t recommend it). It relies on using social factors to manipulate people to click on links or download questionable content.
Attack methods have expanded to include other avenues such as social media and text messaging and use methods including urgent styled language, threatening dire consequences if action is not taken and inferring assumed authority to get you to act. Attackers use strong verbs such as ‘urgent’ and ‘immediate’ to get a quick response before someone can think through the situation.
Some tips to help you recognise an attack:
- Protect your login details – no legitimate organisation or company will ask for your username and password – so don’t provide them if asked.
- Beware of email attachments – email attachments are the most common vector for malicious software. Unless you trust the source and expected content – don’t open it!
- Think before you click! – phishing emails often have malicious web links – as per attachments, unless you trust the source and expect content – don’t click the link.
- If in doubt – sometimes it’s difficult to tell a genuine email from a phishing email. If you are unsure if an email is genuine or not, check with the IT Service Centre or independently visit the official website to check and confirm if the query is genuine.
- Report Phishing Emails – reporting phishing emails to the IT Service Centre on firstname.lastname@example.org helps to bring down any phishing campaigns and block malicious links which other staff might also receive and fall victim to.
If you believe you have fallen victim to a Phishing email:
- Immediately change your password for any accounts or systems you use that same password for. Try to use a passphrase as a password and use different ones for different accounts/systems wherever possible (always keep your Griffith password separate to any personal use).
- Ensure your device is cleaned from malware (this may involve wiping the entire device in a worst-case scenario). Contact IT Service Centre or run a virus scan on your computer to detect any malware.