Grace Kim - a student at Queen’s University - receives an email stating that someone from the United States attempted to log in to her Microsoft account. The email advises her to click on a link if the login attempt is not recognized.
Grace notices that the sender’s email address is a standard account and not the official Microsoft corporation account address. When Grace hovers over the link provided, she can see that it does not direct her to an official Microsoft URL. This raises suspicion.
Clicking on the link opens a page that appears identical to the official Microsoft 365 login page. The address bar displays a warning that the website is not secure, and the URL is not an official Microsoft 365 URL.
Grace determines that this login page is a clone of the official Microsoft 365 login page. Entering her password would have allowed the hacker to capture it and obtain access to her account! Grace closes the window and reports the email as phishing to IT Services.
What is Phishing?
Phishing attacks are some of the most common cyber attacks aiming to gain unauthorized access to your data. Cyber criminals have become experts at using sophisticated techniques to trick victims into sharing personal or financial information.
What Does Phishing Look Like?
Phishing is the most common form of attack.
Phishing occurs when someone impersonates a trusted entity through email or posted messages to try and fraudulently obtain personal information, financial information, or access to systems. The email or message prompts the targeted individual to act. The action could be to click on a link, provide information, open an attachment, download a file, or provide remote access to a computer or mobile device. Completing the action provides the threat actor with information or access to the victim’s account.
Once the threat actor has access to your accounts, they may use this access to carry out a larger cyberattack.
Types of Phishing Attacks
Phishing campaigns are untargeted attempts to solicit personal details by casting as wide a net as possible to get people to respond.
A phishing attempt through SMS (text message).
A hyper-targeted phishing attempt in which a message is designed to sound like it’s coming from a source you know personally.
A phishing attempt aimed at a high-profile target such as a senior executive or other high-ranking official in an organization or government department
Involves creating a fake website to get someone to share their personal information.
How to Protect Yourself from Phishing Attacks
There is no simple way to ensure you are fully protected against phishing campaigns.
Phishing campaigns are becoming increasingly elaborate, and the growth of digital platforms, like social media, has given cyber criminals many opportunities to reach victims. The recommendations below can help you protect yourself from phishing attacks:
- Be extremely cautious any time you receive a message that asks you to reveal personal information – no matter how legitimate that message may appear
- Try to verify requests for information through another means
- For example, if you receive an email claiming to be from PayPal, you could reach out to PayPal directly via the contact information on their website to verify the message.
If you're not sure if a message is a phishing attack, check out this Phishing Graphic to learn look for. Remember, most legitimate organizations will never ask you to reveal information through an email or text message.
Other Resources
This Week's Challenge
Test your knowledge with our phishing quiz. Note that you will be prompted to log in with your NetID and password. When you're ready, click the link below to begin the quiz.
This quiz will collect your name, Queen's email address, and NetID to notify winners of where and how to redeem their prize. Your data will not be shared with any other party or used for any other purpose.