Phishing

Phishing scams are a form of “Social Engineering” in which the attacker attempts to trick you into giving them your credentials or access to your system. Phishing typically refers to scams carried out through email, but very similar scams can be run through text or social media messaging. In phishing scams, the attacker, or “phisher,” will pose as an institution or individual that you trust by sending you a fake message that claims to be from that trusted party.

Often, the goal of a phishing attack is to get you to provide your login credentials or other sensitive information like your social security number or financial institution information. This information could then be used to gain access to your private accounts or to steal your identity. You should be suspicious of any email that asks you to provide personal information or that directs you to a webpage that ask for this information.

Another goal of phishing is to trick you into downloading malicious code onto your computer. This can occur when you click a link or open an attachment. The malicious code can then do any number of very bad things to you, your computer and your network. You may never know it’s there, or it may be glaringly obvious like when “Newman’s” face pops up on Samuel L. Jackson’s computer screen in Jurassic Park saying, “Ah Ah Ah.” 

Phishers attempt to play on your emotions, often including disturbing or enticing information in their emails in an attempt to provoke you to act. They may try to create a false sense of urgency by saying "your account will be deleted" or that "you are over your email storage space." They often urge you to act immediately to "update" or "verify" your account information.

Phishing techniques and social engineering techniques in general are growing increasingly complex and the impersonations are getting more and more realistic and difficult to spot. Ohio State email accounts continue to be targets for an increasing number of phishing attacks. Some of these emails are very sophisticated; using "real" Ohio State email addresses, convincing branding and/or "official" signatures.

  • If you think an email is a phishing attempt , REPORT IT
  • Ohio State will never ask:
    • you to enter your login credentials
    • you to validate or verify that you need an account

If you receive a suspicious email, please report it by forwarding the email to report-phish@osu.edu or by using the PhishMe Button.  If there is any doubt, do not hesitate to report the email. Do not click links or open/preview attachments in the suspicious email.

Recognizing a Phishing Attempt

Here's a list of points to consider when deciding if an email is trustworthy. However, don't rely on any single factor.

False claims, warnings and threats

Have you ever received a warning that your account would be closed if you didn't respond immediately to an email message? Many phishing emails make false claims that your security has been compromised, or about the status of your account, and then ask you to update or validate your account by clicking on an embedded link in the email. Many include a false sense of urgency and state that your account may be in jeopardy if it is not updated immediately. They may threaten to lock your accounts or disable access if you do not provide the information they "need."

Ohio State will NEVER ask for your account information or other personal or financial information by email. Legitimate businesses will NOT ask for this information by email either. You should NEVER provide this information through an email or to a webpage you access from a link.

Unofficial "From" addresses

Look out for a sender's email address that is similar to, but not the same as, an organization's official email address. Fraudsters often sign up for free email accounts with company names in them. These email addresses are meant to fool you. They can also forge the "From" address to look exactly like a legitimate address. Another common phishing scheme is to send messages from a compromised account belonging to a legitimate user. On social networks, attackers may take advantage of messaging systems built into the products after compromising a user’s account. In these cases, the messages appear to come from trusted friends or colleagues.

Impersonal or strange greetings

Phishing emails sometimes start with generic phrases like "Dear valued customer" or your email account name, such as "Dear smith.99999", instead of your name ("Dear Emily" for example). Most legitimate companies include your name in their correspondence because companies will have it on record (if you've dealt with them before). Fraudsters can get your name from public records and target you directly as well. For example, Ohio State's "Find People" feature provides this capability. So even if an email includes your name, it may not be authentic.

Spelling, punctuation and grammar

Cybercriminals are not known for excellent grammar and spelling. Professional companies or organizations usually have a staff of copy editors that will not allow a mass email containing misspellings and other errors to go out to its users. If you notice mistakes in an email, it might be a scam. Phishing scams are becoming more sophisticated, so a well-written email, free of misspellings and typos, isn’t necessarily legitimate.

Spoofing popular websites or companies

Scam artists use graphics in emails that appear to be associated with legitimate websites or companies. Just because a web page looks legit at first glance you cannot assume that it isn’t a phony scam site or a legitimate-looking pop-up window. On phony web pages, cybercriminals often use web addresses that resemble the names of well-known organizations but are slightly altered (osu.edu.xx, for example). Phony web pages will also often contain a mix of legitimate links and fake links. For example, the page may link to the genuine privacy policy or terms of service page for the site being mimicked. However, these authentic links may be mixed in with links to a fake phishing website in order to make the spoof site appear more realistic.

Protecting Yourself from Phishing

  • Think before you act. Be wary of communications that implore you to act immediately, offers something that sounds too good to be true or warns of negative consequences if you do not act now.
  • If it looks suspicious, even if you know the source, before taking any action, please call your local IT support or the IT Service Desk at 614-688-HELP (4357) (TDD: 614-688-8743) for verification and advice.
  • Look closely at embedded links. Phishing emails often include links that may look legitimate but actually send you to malicious web sites that look and feel like the authentic ones. The web page address (URL) may use a variation in spelling. Or the URL shown may appear to be legitimate - but when you hover over the link with your mouse to see where it will lead, a fake address may be displayed.
  • Do not provide your login credentials or any personal information. The Ohio State University will NEVER ask for your account information by email.
  • If you receive suspected phishing email, please report it to report-phish@osu.edu.