Phishing is a common and dangerous tactic used by cybercriminals to steal your personal information or infect your devices with malware. This article will help you understand what phishing is, how to recognize it, and what steps you can take to protect yourself.

What is Phishing?

Phishing is a type of social engineering attack. It's not just about sending fraudulent messages; it's about manipulating you into taking actions that compromise your security. Attackers craft deceptive messages designed to trick you into revealing sensitive information, clicking malicious links, or opening infected attachments. They often try to create a sense of urgency, fear, or excitement to bypass your better judgment.

How Phishing Works:

Phishing attacks can come through various channels:

Email: The most common method. Phishing emails often mimic legitimate organizations (like CNU, banks, or online services).
Text Messages (Smishing): Phishing via text message. These may contain links to fake websites or requests for personal information.
Phone Calls (Vishing): Phishing over the phone. Attackers may impersonate tech support, government agencies, or even family members.
Social Media: Phishing through social media platforms, often through fake profiles or compromised accounts.

What Phishers Want:

Phishers aim to steal your:

Login Credentials: Usernames and passwords for CNU systems, email, banking, social media, etc.
Financial Information: Bank account details, credit card numbers, money transfer, etc.
Personal Information: Social Security numbers, addresses, dates of birth, etc.
System Access: To install malware on your computer or gain control of your accounts.

Recognizing Phishing Attempts:

Check the Sender Information:
- Email: Look closely at the sender's email address. Often, phishers use addresses that are slightly different from legitimate ones (e.g., @cnnu.edu instead of @cnu.edu). Be wary of generic greetings like "Dear Customer" instead of your name.
- Text/Phone: Spoofed numbers are common. Don't trust caller ID.
Verify Through Secondary Channels:
- If a message claims to be from someone you know (a colleague, professor, or family member), do not reply to the message directly. Instead, contact them through a known and trusted method (e.g., call them on their known phone number, email them at their official address). Do not use contact information provided in the suspicious message.
Beware of Unexpected Attachments and Links:
- Attachments: Never open attachments from unknown or unexpected senders. They could contain viruses, ransomware, or other malware.
- Links: Hover your mouse over links without clicking to see the actual URL. Look for misspellings, unusual domain names, or shortened URLs (e.g., bit.ly). Never click on links in suspicious messages. Instead, type the website address directly into your browser.
- MFA Notifications: Be extremely cautious of unexpected MFA prompts. If you didn't initiate the login, deny the request and immediately change your password on the associated account. Attackers might have obtained your username and password through other means and are trying to bypass MFA.
Pay Attention to the Language:
- Urgency: Phishing messages often create a sense of urgency ("Act now!", "Your account will be suspended"). This is a tactic to pressure you into acting without thinking.
- Threats: They may threaten negative consequences if you don't comply (e.g., account closure).
- Prizes/Rewards: Be skeptical of messages promising free prizes or rewards.
- Grammar and Spelling: Phishing messages often contain grammatical errors and typos.
Requests for Personal Information:
- Never provide your password, financial information, or other sensitive data through email, text message, or phone call, especially if you didn't initiate the communication.

An annotated sample of a phishing email has been provided below, to highlight some common hallmarks of this tactic:

CNU Will NEVER:

Ask for your password or other sensitive information via email, phone, or text.
Send you unsolicited emails asking you to verify your account or click on links.

What to Do if You Suspect a Phishing Attempt:

Do Not Interact: Do not click links, open attachments, or reply to the message.
Eliminate It:
- Email: Mark the message as spam or phishing in your email client and delete it.
- Text: Block the sender's number.
Report It: Reporting is only necessary if you have fallen victim to a phishing attack. If you suspect you have been deceived by a phishing message, screenshot the message in full and include the images in a ticket with the Helpdesk (You can start a ticket using the button at the bottom of this document.)

Stay Informed:

Phishing tactics are constantly evolving. For more information, please stay up-to-date by utilizing the following resources:

How To Recognize and Avoid Phishing Scams
https://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams
Recognize and Report Phishing
https://www.cisa.gov/secure-our-world/recognize-and-report-phishing

By staying vigilant and following these tips, you can significantly reduce your risk of falling victim to a phishing attack. Your security is important!

Browser not supported