Stop that Phish!

We all use email every day for work, school, and to stay in touch with our peers, professors, colleagues, friends, and family. Since so many people worldwide depend on email, it has become one of the primary attack methods used by cyber attackers. This attack method is called phishing. Learn what phishing is and how to spot and stop these attacks, regardless of whether you are at work, school, or home.

One important point we always emphasize is that no one, including Information and Library Services Staff, will ever have a legitimate reason to ask for another person's password whether, in person, on the phone, or via email. Never share your password with anyone, including close friends, colleagues, family, or with anyone from the IT Service Desk!


What Is Phishing?

Phishing is a type of attack that uses email or a messaging service to fool you into taking an action you should not take, such as clicking on a malicious link, sharing your password, sending someone money, banking information, or opening an infected email attachment.

Attackers work hard to make these messages convincing and tap your emotional triggers, such as urgency or curiosity. They can make messages look like they came from someone or something you know, such as peers, professors, colleagues, friends, and family, or a trusted company you use. They could even add logos of your bank or forge the email address, so the message appears more legitimate. Attackers then send these messages to millions of people. They do not know who will take the bait; all they know is the more they send, the more people will fall victim.


Protect Yourself!

In almost all cases, opening and reading an email or message is fine. For a phishing attack to work, the bad guys need to trick you into doing something. Fortunately, there are clues that a message is an attack.

Here are the most common ones:

  • You receive a message from someone you know, but the tone or wording just does not sound like them. If you are suspicious, call the sender to verify they sent the message, or contact the Bates College IT Service Desk. It is easy for a cyber attacker to create a message that appears to be from a friend, a classmate, a professor, or someone close to you.
  • Requesting highly sensitive information, such as your credit card number, password, or any other information that a legitimate sender should already know.
  • Pressuring you for financial information, credit card numbers, social security numbers, money, gift cards, or for you to wire money internationally or domestically. 
  • A tremendous sense of urgency that demands “immediate action” before something bad happens, like threatening to close an account or send you to jail. The attacker wants to rush you into making a mistake.
  • The message comes from an official email (such as someone from Bates) but has a Reply-To address going to someone’s personal email account.
  • A strong sense of curiosity or something that is too good to be true. (No, you did not win the lottery.)
  • A generic salutation like “Dear Customer.” Most companies or friends contacting you know your name.
  • The message says it comes from an official organization but has poor grammar or spelling or uses a personal email address like @gmail.com.

Ultimately, common sense is your best defense. If an email or message seems odd, suspicious, or too good to be true, it may be a phishing attack. If you are ever unsure, please contact the Bates College IT Service Desk for assistance with evaluating the email you received.


This tip was originally published by the SANS Institute, in April 2018, which publishes the monthly OUCH! Newsletter. Its contents have been adapted for Bates College.