Phishing Guide

About this Guide

This guide provides you with the techniques to identify and report phishing.

What Is Phishing & Types of Phishing

Phishing is a cybercrime where individuals are deceived into providing sensitive information, such as personal details or passwords, by someone posing as a legitimate institution. The objective is often to steal data or install malware on the victim’s device.

Common Types of Phishing:

Email Phishing: Fraudulent emails that appear to be from reputable sources, prompting recipients to divulge personal information or click on malicious links.
Smishing (SMS Phishing): Phishing attempts are conducted through text messages, urging individuals to click on malicious links or provide personal information.
Vishing (Voice Phishing): Phishing attacks are executed via phone calls, where the caller impersonates a trusted entity to extract sensitive information.
Spear Phishing: Targeted phishing attacks tailored to a specific individual or organization, often using personal details to appear legitimate.
Whaling: A form of spear phishing that targets high-profile individuals, such as senior executives, to gain access to sensitive information or systems.
Angler Phishing: Scammers masquerade as customer service representatives on social media to deceive individuals into providing personal information.

Techniques to Identify a Phishing Message

Urgent Email Notification to verify your account

Be vigilant for the following signs that may indicate a phishing attempt:

Urgent or Threatening Language: Messages that create a sense of urgency or fear, prompting immediate action.
Suspicious Email Addresses: Email addresses that closely resemble, but don’t exactly match, legitimate ones (e.g., “[email protected]” instead of “[email protected]”) (note the extra . before edu).
Generic Greetings: Use of non-personalized salutations like “Dear Customer” instead of your actual name.
Emails Marked with [EXT]: Messages with [EXT] in the subject line or sender field indicate they are from external sources and require extra scrutiny. Be cautious, especially if the email requests sensitive information or includes links/attachments.
A Warning Banner: Google may display a warning banner at the top of the email, alerting you about dangerous messages, unsafe content, or deceptive websites.
The Method Used to Contact You is Suspicious: An unsolicited email may be suspicious if a company typically contacts you via phone or app notifications.
Requests or Demands for Information: Phishing emails may ask for sensitive information that the company they’re imitating should already have (e.g., account numbers or passwords).
Unexpected Attachments or Links: Unsolicited emails containing attachments or links, especially from unknown senders.

Requests for Personal Information: Legitimate organizations typically do not ask for sensitive information via email.
Mismatched URLs: Links that, when hovered over, display a different URL than what is shown in the email.
Unusual Sender Behavior: Even if the email comes from someone you know, look for odd behavior, such as out-of-character tone, unexpected requests, or strange timing (e.g., emails sent in the middle of the night).
Spoofed Company Branding: Legitimate-looking emails with logos and designs, but upon closer inspection, you’ll notice inconsistencies like low-resolution images, outdated branding, or incorrect company colors.
Requests for Login Verification: Emails claiming your account is “suspended” and urging you to “log in” via a provided link are classic bait. When in doubt, browse directly to the company’s site; drains click the link in the email.
Overly Enticing Offers: Unbelievably good deals (e.g., “You’ve won $1,000,000!” or “Free iPhone 17!” or “Limited-Time Internship”) or rewards for no reason.
Suspicious Attachment Types: Common phishing attachments include .exe, .zip, or .scr files. Legit businesses rarely send executable files or compressed folders.
“Reply Here” Scams: Be wary of emails urging you to reply with sensitive information rather than directing you to a secure platform.
“Reply-to” Scams: Be vigilant of who you are replying to. Scammers will often craft emails so that you end up replying to a different email than the original sender.
Fake Security Alerts: Emails pretending to be from your bank or a tech provider claiming “unusual login attempts” but with suspicious details or poor formatting.
Voice Phishing Cues (Vishing): If the email includes a phone number to call, be suspicious. Cross-check it with official contact details from the company’s legitimate website.
Poor Grammar and Spelling: Emails riddled with grammatical errors or unusual phrasing. Attackers are increasingly using generative Artificial Intelligence, also called AI or GenAI, to generate phishing emails and as a result, this clue is becoming less common. However, reading through incoming emails for this classic sign is advisable.

What to do if you suspect a suspicious message

Do Not Click Links or Download Attachments: Avoid interacting with any links or attachments until you’ve verified the message’s legitimacy.
Verify the Sender’s Identity: Contact the organization directly using official contact information, not the details provided in the suspicious message.
Check for Red Flags: Review the message for signs of phishing, such as those listed above.
Consult Official Sources: Visit the organization’s official website or contact their customer service to confirm the message’s authenticity.

How to Report a Phishing Email

Do Not Interact: Do not click on any links or download attachments. Do not reply to the message.

Reporting to FIT’s Cybersecurity Team.
- Forward the Email to [email protected]: Include any relevant details that may assist in the investigation.
Reporting Phishing in Gmail:

- Click the Three Dots Next to the Reply Arrow: Located in the top-right corner of the email.

- Select “Report Phishing”: This will notify Gmail of the phishing attempt and move the email to your Spam folder.

- Delete the Email: Delete the email from your Spam folder.

By staying informed and cautious, you can protect yourself and the FIT community from phishing threats. For detailed instructions please visit our self-service article How to report phishing.