"Phishing" is the most common type of cyber attack that affects every organization. Phishing attacks take many forms, but they all have a common goal – getting you to give them personal or sensitive information such as login credentials, credit card information, or bank account details through well designed and seemingly legitimate email messages, websites and phone calls. Although Information Technology (IT) has many levels of controls in place to help protect KSU’s networks and computers from cyber threats, we depend on every account holder to be our first line of defense. Cybercriminals are constantly changing phishing emails in order to make it through any email filters. Since there are no filters that can 100% guarantee that all spam or phishing emails can be blocked, it is important that you learn to identify these scams and respond appropriately by deleting them or reporting them to the IT Help Desk. The following are different types of phishing attacks to look out for:

• Phishing: With this type of attack, hackers mimic a real company to obtain your login credentials. When you click on any links in these types of e-mail attacks, you give your login information directly to the hackers.
• Spear Phishing: Spear phishing is a more sophisticated phishing attack that includes familiar information that makes the attacker seem like a legitimate source. They may use your name and phone number and refer to KSU in the e-mail to trick you into thinking they have a connection to you which will make you more likely to click a link or attachment that they provide.
• Whaling: Whaling is a popular ploy aimed at getting you to transfer money or send sensitive information to an attacker via email by impersonating a member of management within KSU. Using a fake email address that appears similar to ours, they look like normal emails from the KSU President, vice presidents, or department supervisors. These type of email attacks will ask you for sensitive information (including usernames, passwords or cell phone numbers) or ask you to purchase credit cards or pay send money to an account.
• Shared Document Phishing: You may receive an e-mail that appears to come from file-sharing sites like Dropbox or Google Drive alerting you that a document has been shared with you. The link provided in these e-mails will take you to a fake login page that mimics the real login page and will steal your account credentials.
• Examples of Email Phishing
• Can you identify Phishing?
• More information about Phishing
  • Federal Trade Commission
  • FBI Cyber Investigations
  • Internet Crime Complaint Center (IC3)

• Do not send sensitive personal information like passwords, credit card information, bank account information, or other private information in an email. Email messages are not considered secure. An email can be forwarded to others without your knowledge.
• Be cautious of unsolicited email messages, attachments or links, even from people who you may know. If you have doubts, do not respond.
• Avoid clicking links in emails, especially if they request private information.
• Do not click on links or attachments from senders that you do not recognize. Be especially wary of .zip or other compressed or executable file types.
• Do not try to open any shared document that you’re not expecting to receive.
• Be especially cautious when opening attachments or clicking links if you receive an email containing a warning banner indicating that it originated from an external source.
• Call the company with a number from your contact list, not a number provided in the email.
• Watch for email senders that use suspicious or misleading domain names.
• Inspect URLs carefully to make sure they’re legitimate and not imposter sites.
• When you have to enter private information in websites, look for ‘https://’ and a lock icon in the address bar before entering the information.  If the website does not have the “https://”, it is not a secure site.
• Remember to always log-off of your computer when connecting to secure websites because the next person using the computer may have access to your data.

• Change your KSU password immediately.
• Call the IT Help Desk.
• If your mobile device has such a service, delete all personal data from the device (Find My iPhone, Find My iPad, Android Device Manager, etc.).
• Change the password for any personal accounts that share the same password, such as:
  • Banking services;
  • Email (personal, corporate);
  • Online stores (Amazon, eBay, iTunes, etc.);
  • Social media (Facebook, Twitter, etc.);
  • Backup services or file sharing (Dropbox, etc.);
• Contact the abuse or fraud department of the service being impersonated (eBay, Paypal, etc.).
• If you suspect a bank or credit card account may have been compromised, contact that institution to check your account immediately and request a credit report.
• From Outlook, right-click the suspicious message, point to Junk, and then click Report Junk.

“Vishing” (a combination of “voice” and “phishing”) is defined as the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies or colleagues in order to trick individuals to reveal financial or personal information, such as passwords, bank details or credit card numbers.

Cybercriminal will spoof phone numbers and also create fake caller ID’s to distort their identity. Vishing schemes are on the rise, especially with an increase in remote working.

• Be cautious when receiving unsolicited phone calls especially calls that attempt to prey on your emotions or is threatening.
• Hang up the phone immediately if you believe it is a vishing phone call. You are not obligated to continue the conversation. After you hang up the phone, block the number if you are able to.
• Verify the caller's identity by calling the company’s official public phone number not the phone number provided by the caller. The call back number provided by the person could be part of the scam.

Do not respond to prompts or press buttons if you receive an automated message. Cybercriminals will use these tactics to find more targets for their robocall schemes. If you respond verbally, cybercriminals may also attempt to record your voice and use it later with voice-automated phone menus that are linked to your personal or business accounts.

“Smishing” (a combination of “sms texting” and “phishing”) is defined as the fraudulent practice of using SMS text messages purporting to be from reputable companies or colleagues in order to trick individuals to reveal financial or personal information, such as passwords, bank details or credit card numbers.

Cybercriminal will sent text messages and also create fake caller ID’s to distort their identity. Vishing schemes are on the rise, especially with an increase in remote working.

• Be cautious when receiving unsolicited text messages especially texts that attempt to prey on your emotions or are threatening in nature.
• If a text message is influencing you to take action or respond quickly, stop and think about it. Cybercriminals use this as a way to persuade you to do what they want.
• Do not click on the links and delete the text immediately.
• Do not respond to text messages that request your personal or financial information.
• Contact the company directly to verify they sent you a text message.

In order to provide timely and reliable service, the first point of contact for all technical assistance must be made to the IT Help Desk. To contact the IT Help Desk, submit a service request (on-campus), call the Help Desk at (502) 597-7000 or send an email to helpdesk@kysu.edu.