By Julia C. Turner, Office of Media Relations
Many warning signs are easy to spot when it comes to catching phishing scams. Clemson has recently been hit by a wave of the malicious emails, leaving faculty, staff and students all victims to their scams. Clemson’s chief information security officer, Kevin McKenzie, has been promoting awareness about these threats and how to protect yourself.
His security tactics are quick, easy to understand and, if implemented, can save a lot of grief. The advice is simple:
Any email including a direct link to a login page supposedly sent from CCIT is most likely a hoax.
- These types of emails will often threaten the recipient that their account is going to be deleted if their information is not validated immediately, or some variation of that. McKenzie reminds employees that CCIT will never try to delete email or user accounts. Clemson’s CCIT specifically avoids putting links into emails where users are expected to log in. Instead, if information must be validated, Clemson will take users to the home website and guide them, with step-by-step directions, to the appropriate log-in page.
Some red flags are the links themselves.
- A link will often look legitimate at first glance. However, “mousing” over it will reveal that the hyperlink is actually completely different, usually a very long URL or a shortened URL like “bit.ly” or “tinyurl.” If the user clicks the link and the URL at the top of the page does not match the intended website, the website is probably fraudulent.
Things like accidental capitalization, unusual formatting and grammatical mistakes are all good indicators that the emails are hazardous.
- Phishing attacks have to appear legitimate to get past spam filters (sometimes even the linked website will imitate Clemson’s log-in pages) but these emails will contain errors. Everything sent from Clemson University has to be approved; therefore, mistakes are typically fixed before an email is sent out. Notice the language use. If it doesn’t read like someone would say it that way, this would be reason for alarm.
Faculty and staff are highly encouraged to be aware of what they are receiving, especially anything they were not previously expecting.
- Awareness of what should be arriving in one’s inbox will help users tremendously. If, out of nowhere, a message indicates that verification is required to an account or it will be deleted, blocked, removed, etc., then a safe assumption is that it is a phishing scam. Emails asking for verification and are not expected by the user should be handled delicately. The same caution should be extended to opening attachments that were not expected or from someone you don’t know.
For those who have fallen victim, McKenzie suggests a few steps that will help counter the damage: “If you have put your account information into one of these phishing links, make sure the first thing you do is change your password — as fast as possible. After that, report it to us. We can help take care of the security breaches, but we can’t do that until we know about them. Then, make sure you have your computer secured.” He promotes the downloading and use of Trend Micro, Clemson’s free downloadable antivirus program. In addition to anti-virus, McKenzie recommends keeping all software updated including your operating system.
Being proactive and aware will save a lot a grief. While it is possible to reverse some of the damage, personal information can still be compromised. It is best to know the warning signs of phishing emails and to keep in mind of what is compromised when a username and password is taken: private information and access to personal accounts.
To learn more about phishing, email alerts and other information, visit CCIT’s Web page.
