Defending Email Accounts Against Phishing Attacks
Each year, an estimated 17.6 million Americans were victims of identity theft. About 10 percent of them spent more than a month resolving the issues caused by the misuse of their identity. One of the most popular attack vectors used by identity thieves is phishing emails.
What is Phishing?
Phishing emails are a type of scam that appear to originate from a trusted source to trick people into entering their credentials or other personal information. Attackers attempt to steal this information to make money via identity theft or to launch cyber attacks against organizations to gain access to their proprietary information.
Phishing emails often include general statements like “Your email is full. Sign in now or your account will be deactivated.” Their general message allows attackers to send this email to thousands of people at the same time in an attempt to collect information. Even if a small percentage of the total recipients of a phishing email provide information, that could still constitute hundreds of individuals whose personal information is now compromised.
Understanding the Danger
Many people express sentiments like “If someone wants to read my mail, go for it,” but belittling the value of an email is dangerous. Email accounts are frequently set to receive digital banking statements, bills, pay stubs, receipts, and financial aid information. They are also frequently used as a method to recover access to other accounts. With access to an email account, an attacker can easily determine the target’s bank, utilize the bank’s “forgot password” functionality, and gain access to the account.
Identifying a Phishing Email
Since phishing emails pose a large risk to individuals and organizations, it is important to know how to identify one. Watch for the following:
- Generic greetings and signatures like “Dear User”
- Emails that claim to be official but are not from official email addresses
- Emails that create a sense of urgency
- Misspellings and grammar mistakes
Remember that Kent State does NOT delete @kent.edu email accounts and will NEVER ask for passwords via email.
Many phishing emails link to an attacker-controlled website that prompts for information. Understanding how to detect these malicious pages is also important.
- Check for slight misspellings in the URL, company name, etc.
- Check that the site is at a kent.edu URL. The word “Kent” anywhere else in the URL does not mean that it is a legitimate Kent State website
- Mouse over links in emails to verify the destination (not required for Kent State Outlook accounts)
Kent State Enables Enhanced Email Security Protection
To help protect against malicious email, IS has implemented additional protections for faculty/staff email accounts. These protections work to detect phishing email and provide notifications when a clicked link appears to be a scam. If an email link returns a page similar to the warning below, the legitimacy of the link should be strongly scrutinized.
What to do if You Receive a Phishing Email
If you believe you have been the victim of a phishing scam:
- Change your passwords immediately
- Check the settings on your email account
- If your email contains banking information, tax information, or any personally identifiable information like Social Security Numbers, review the IRS’ “Taxpayer Guide to Identity Theft” at www.irs.gov
Contact the Office of Security and Access Management at 330.672.5566 If you receive a phishing email, please forward it to firstname.lastname@example.org.