Virtual Mentor Tips: Combating Phishing Scams

Hi Cyber Cougs,

In the context of online learning, electronic communications, and e-payments, it is vitally important that we protect our email accounts from scammers and phishing attacks. To curb the effectiveness of cyberattacks, WSU has added multi-factor verification as an additional step to secure your account and private information. You can find information on this industry-best security practice at its.wsu.edu/its-multi-factor-authentication/.

However, phishing schemes focus on the weakest link in the security system – the user – and as such, they will always find a way through it if we allow them in by opening the links in their emails. The only way to truly secure our accounts is to be suspicious and to start with the assumption that all links and attachments are malicious. When in doubt, always report to abuse@wsu.edu so that they can investigate and restore compromised accounts.

How to identify a phishing email?

Call to Urgent Action

A typical phishing email makes a claim that some urgent action is necessary on your part and that in order to carry out the action, you need to select a link or a button.

These emails might be telling you that something is wrong with your account (PayPal is a popular one recently) or that you’ve been selected for an internship opportunity, that you won a prize, or that you need to update something, but they typically urge you to react fast and reply or open the link immediately.

Spelling and Grammar

Most of these emails contain some spelling or grammar errors. They might be as small as a capitalization error, but if you carefully examine the email, you will likely find at least one.

Search

One quick way to identify a phishing email is pasting a phrase from this email to your search engine and looking through the results. Most of these are generic and you’ll likely see a mention of them come up in your search results. However, even if nothing comes up, yet the message still sounds suspicious and asks for action, I would highly recommend staying cautious and forwarding it to abuse@wsu.edu. Additionally, you can select the More Actions button to choose Security Options and Mark as Phishing to block it in the future, but generally, most of these emails come from different compromised accounts anyways.

What happens if you open a phishing link?

First of all, selecting such links will validate your email address for the phisher. They will usually take you to a phony website and prompt for your credentials. If entered, you will have granted access to anything protected by your username and password, including your email account. It will allow the attacker to access your email and use it for sending more targeted phishing emails to everyone on your email list. As you may have noticed, most of the phishing emails we have seen at WSU come from comprised @wsu.edu accounts, users like you and me, who accidentally opened a link in a phishing email. With MFA required now, the chance of this exploit being successful has dramatically reduced. The attacker will need to have your multi-factor (phone, USB key, etc.) in hand to exploit your email in the described manner. This is not a good reason to relax! Vigilance against cyberattacks is an always present requirement. As mentioned above, our technology will only take us so far and we (the people) are the weakest link in most cases.

Keep in mind that this applies to all accounts in your world – beyond WSU. It is very important to protect every account that you can with MFA and take the same precautions in your personal email activities as we recommend for your WSU activities. If an attacker gets control of personal accounts, they can create havoc for you personally and possibly use one of your personal accounts to also compromise your WSU account.

Without going into further detail, I just wanted to provide a glimpse of the larger picture so that you could take this information and apply it to reinforce the safety of all your online accounts. The best advice I can give you is just don’t open links in emails. Don’t do it. Don’t be provoked by claims of urgency in an email—no matter how legitimate they may look. Do not open links without thinking really, really hard about it. Distrust by default. The same applies for any “too good to be true” listings, job vacancies, and the like. Always start with doing a search of user information, email address or a phrase, and you will most likely find these scenarios already documented in some shape or form.

In the meanwhile, please stay safe and feel free to reach out to your Virtual Mentors for more information! We’re here to provide you with the virtual support to help you succeed and excel in your learning.

-Yuliya Gerasimova, WSU Global Campus Virtual Mentor