5 Tips to Avoid Phishing Scams
Just how susceptible are people to phishing attacks? In Mississippi, the Clinton Public School District sought to answer that question through a social engineering assessment. The district IT team sent employees a fake phishing email that contained many telltale red flags: a generic Gmail domain in the sender’s email address, spelling errors and the logo of a company that’s not a district-approved vendor. They even misspelled the district’s name.
Still, despite those signs, the majority of recipients — 83 percent — opened the email, and more than half of them clicked the enclosed link.
Kim Griffin, the district’s technology director, shared information about the experiment with district employees. The following tips, edited for a broader audience, are derived from her suggestions to employees for how to better manage sensitive information.
- Pay attention to the sender’s email. Information from the district tech department uses an official district email address.
- Be mindful of branding and logos. “Strange links and unfamiliar branding are another sign that the email could be part of a phishing attempt,” Griffin says.
- Look before you click. Hover over links with your cursor to see the target URL. If the address doesn’t appear to link to “a legitimate Google, district or otherwise familiar address, it’s a safe bet that it’s a link to a page involved in these scams,” she says. “Do not click suspicious links without seeking advice from the technology department.”
- Google does not ask for a username and password at the same time, on the same page. Instead, Google requires users to enter a username or email address on one page, click an arrow or a “next” button, and then enter the password on the next screen. If you click a link that takes you to a page that appears to be affiliated with Google but asks for an email address and a password on the same screen, exit the page immediately, she says.
- When in doubt, ask. If an email appears to be from a district employee or department “but you are unsure if it is legitimate, contact that person or department head directly to verify if it is, in fact, from them,” Griffin suggests. “Do not provide any personal or private information (including login information) before verifying.” Don’t call the numbers sent in suspicious emails or that pop up on your computer. “Scammers want you to call those numbers so they can gain access to your computer and, therefore, access to all files and information (business and personal) that you have saved,” she says.