What is Phishing?
Phishing is an online scam where fraudsters impersonate a trusted person or organization in an attempt to obtain personal information that may be used for identity theft.
Forms of Phishing
Scammers send emails pretending to be from a legitimate retailer, bank, organization or government agency (such as the school district). The emails generally ask you to confirm your personal information by clicking on a link to a phoney website where you are asked for personal information such as identifiers or passwords. The websites may look very similar to a real company or organization you deal with on a regular basis. Sometimes you can tell that a website or email is a false one if there are spelling and grammatical errors. Websites or emails from legitimate companies should not contain spelling and grammatical errors.
Signs of Phishing
Phishing can take many forms and recognizing the signs can help protect you from identity theft. A fraudulent email can often seem innocent or even helpful. For example, the email sender could be contacting you for the following reasons:
- your account or credit card is about to be closed
- an order for something has been placed in your name
- your personal information has been lost because of a computer error or breakdown
- there is suspicion that your account or credit card has been subject to fraud.
- in the case of the latest examples the phishers fraudulently represent the school district IT department looking for user verfications
The giveaway is that the email will ask you to supply personal information that could be used to create a false identity or to impersonate you (such as asking for your account numbers, passwords or other sensitive personal information).
Protect Yourself
-
Never respond to an email asking for your personal information.
Phishers often send authentic looking messages that appear to come from legitimate companies requesting personal information or asking you to confirm personal information which is then used for fraudulent purposes. Do not respond to email claiming to be from, for example, your financial institution or other legitimate organizations, asking you to provide your passwords, financial information or other personal information. Your bank should never send you an email asking you to provide this information. Even though your bank may call you if they suspect fraudulent activity on your bank account or credit card, they should never ask you to provide your passwords or account numbers verbally or via the telephone keypad.
The school district will never send out a mass email asking users to provide personal information particularly user IDs and passwords.
If you are asked for this type of information, phone the organization (or the district help desk) to verify that the request is valid, but do not use the email address or telephone contact information provided in the email as it could be false as well. Instead, look up the contact information for the organization on their website, in the phone book or on printed correspondence you may have from them.
-
Never enter your personal information in a pop-up screen.
Phishers can direct you to a real company's website, but then an unauthorized pop-up screen created by the phisher will appear asking you to provide personal information. Legitimate companies do not ask for personal information via pop-up screens.
- Never open email attachments from someone you don't know.
Even if the message looks like it came from someone you know, it could be from phishers, trying to steal your information. If you are not expecting an email attachment from someone, verify with that person before opening it. The latest example of a phishing attempt was responded to by at least 5 people in our district resulting in their accounts being suspended and the district being put on several blacklists.
As can be seen from the following example the grammar is poor and there is an urgent appeal to click a suspicious link to verify your account information - which the school district would never request of our users. This is an obvious attempt at identity theft which most of our users recognized however a few did which has resulted in a significant problem for them and the district.
Hover (don't click) your mouse pointer over the From and you will see the email is not from an @sd63.bc.ca account
Hover (don't click) your mouse pointer over the link they want you to click, the destination is shown on the bottom left of your screen. It will always point to some other address, not SD63.
We cannot reiterate enough DO NOT RESPOND to these emails, DO NOT click any links in them and DO NOT open any attachments. They should be immediately deleted.
Consequences
As a result of users responding to these phishing attacks the district will immediately suspend users email accounts. The accounts will not be reactivated until the users contact the district help desk by phone and receive onsite training regarding phishing emails. Repeat offenders may have their email accounts permanently deleted.
Gregg Ferrie
Director of Information Technology