Don’t Touch That Phish!

Often we use this monthly column to let you know about cybersecurity trends and events in the higher education space or in the world at large. This month we’re going to focus on something that happened here at FIT, because it illustrates several key points about how each of us can protect the college and ourselves.

As a public institution, FIT publishes a lot of information about itself. It’s easy for attackers to find out who our executives are and who works in their departments. This became apparent when a scammer spoofed the personal email account of a cabinet member (let’s call the cabinet member Joe_Cabinet) and wrote to many members of Joe’s department asking for personal information, using an email account called JoeCabinet87@gmail.com.  

FIT’s email system properly identified the emails as phishing attempts and put them in the recipients’ spam folders. Most recipients correctly ignored the emails, and a few wrote to Joe at Joe’s FIT email to confirm whether the email was real. But, some opened the email. In this particular case, the email had no links to download malware so opening it was harmless, but often such phishing emails are created specifically to download malware onto the recipient’s computer.

What can you do?

1. One of the “4 Don’ts” in our recently introduced email safety campaign is Don’t Assume email from a strange place is benign. It would be pretty unusual for a cabinet member to ask you for personal information from a non-FIT account.

2. Gmail does a really good job recognizing and categorizing phishing emails. If you see something in your junk or spam folders, don’t interact with it unless you are very sure it’s legitimate.

3. The best way to verify if something is legitimate is to contact them through a known email account or phone number and check with them.