Many users receive a variety of unsolicited commercial email (also known as "spam") in their offices or at home. While people don't always like getting spam, much of it has a legitimate business purpose. Unsolicited emails, however, are often the initial means for criminals, such as operators of fraudulent schemes, to contact and solicit prospective victims for money, or to commit identity theft by deceiving them into sharing bank and financial account information.

This is called phishing - the attempt to gain confidential or sensitive information by social engineering via email.

Phishing is an email fraud method in which the perpetrator sends out legitimate-looking email in an attempt to gather personal and financial information from recipients. Typically, the messages appear to come from well known and trustworthy websites. Websites that are frequently spoofed by phishers include PayPal, eBay, MSN, Yahoo, BestBuy, and AOL. A phishing expedition, like the fishing expedition it's named for, is a speculative venture: the phisher puts the lure hoping to fool at least a few of the prey that encounter the bait.

Email Best Practices

1. Be vigilant. If it looks suspicious, it most likely is.
2. Ask for help. If you are not sure an email is legitimate, contact the company by phone or contact your administrator/help desk.
3. Don't click on links. Be very wary of the links that are included in emails. Links on phishing emails will not lead to the site you may think it does. Example: If you get an email that is supposedly from your bank with a link, don't click the link; instead, log in to your bank account from a web browser or call your bank to confirm the email is legitimate.
4. Don't download attachments. Attachments may contain any number of things including, but not limited to, malware, viruses, worms, trojans, etc.
5. Did I request this email or do I have any connection to this company? A big tell that an email may be malicious is if it has nothing to do with you. Example: An email from a bank you don't belong to or requesting information that you don't have, etc.

Spotting a Malicious Phishing Attempt

• Start by heading over to Microsoft- they have good examples of how to spot a phishing email.
• Here is an interesting quiz from OpenDNS - it tests your ability to spot a phishing website and at the end will show you the giveaways for each site that is not real.
• Here are some more sites that may help you identify phishing attempts with ease.
  
  • ZoneAlarm
  • TechRepublic
  • TD Ameritrade

Example

Phishing email. Phishing clues:

• Note that sender is from an unrelated entity.
• DePaul will only send emails from depaul.edu accounts
• Email originating from non-DePaul or external email sources will have the [EXT] tag as a subject prefix
• Google docs form used to collect credentials.