Ways to Not Fall Prey to Email Phishing Scams

According to new data, the frequency of email phishing threats has risen considerably in the past few months, and New York Institute of Technology itself experienced two significant attacks on November 2. And while the frequency of the attacks is a growing concern, 97 percent of users cannot identify a sophisticated phishing scam, according to Keepnetlabs.com.

To find out what New York Tech is doing to protect itself, and how students, faculty, and staff can contribute to that effort while minimizing their own susceptibility to information and identity theft, The Box chatted with Laurie Harvey, M.B.A., director of Academic Technology Services (ATS):

In the recent phishing attempts at New York Tech, were the attackers attempting to access information or introduce malware into our systems?
The most recent attempts were trying to get personal banking information. After a series of back-and-forth questions, the scammers would ask for our users’ banking information. I’m pleased to report that no one in our community “fell” for the scam. Once the scammers asked for banking information, our users quit the conversation in email.

How can email users become more skilled at recognizing phishing schemes, given their increasing sophistication?
If you look at an email and it seems “fishy,” it probably is “phishy.” Sorry for the bad pun, but hopefully readers who may be groaning will be reminded that cybercriminals and scammers are working hard on their unsolicited email, phone calls, and online offers in order to get personal information and reap the benefits of identity theft. It is a very profitable business. According to Javelin Strategy & Research, “identity fraud resulted in $16.9 billion lost in 2019, and impacted 5.1% of consumers.”
Here are some suggestions:

• Check the email address. Phishing email usually comes from a user name you might know, but the @XXXX section (the email domain) is not familiar.
• Do not fall for scams to buy gift cards. Don’t attempt to buy iTunes cards because an emergency email message from your boss asks you to. If you are uncertain, call your supervisor before making a purchase through an email request.
• Don’t install questionable apps or programs. Another common scam, conducted over the phone or email, tells users to go to the App Store and install “TeamViewer” on their computer or mobile device. Once that app is installed, it allows the scammer to view personal information on that device. Never install TeamViewer at the request of an unknown agency.
• Be really careful when using your mobile phone. On mobile devices, it can be difficult to read web addresses, so do not click on any links from an unfamiliar email address. Remember: banks, legitimate services such as Amazon, or New York Tech will never ask for you to click on a link to provide your personal information or login/password in an email. Often, legitimate businesses require two-factor authentication (two ways for you to identify yourself) before providing access to accounts.
• Change your passwords frequently and use strong passwords. Use more than eight characters and incorporate numbers and special characters such as ! @#&).

A recent email from ITS noted that “malicious links and/or email attachments in phishing emails are still the most common vector for a cybersecurity event.” Can you elaborate on what this means, since we continue to be fooled by phishing scams?
That statement means that links or attachments within an email message are the most frequently used openings or routes for people to be scammed or to become victims of identity theft.

To be on the safe side, what are a few things email users should never do?

• Before submitting anything, check the website’s security. Look in the upper-left corner and make sure the web address begins with https: and /, or there is a closed lock symbol < near the address bar.
• Do not click on any links in an email unless you know the sender—and be sure you confirm that the email address is the actual email address of the person you know. Often, hackers have the first part of the email address correct, but the @XXXXX is from a server you will not recognize.
• Be especially careful with emails you think are from banks or services such as Amazon. The scammers make sure the icons look accurate, but when you look closely at the website address, you will see that it “looks” wrong. In the example hotels.com@roktpowered.com, the email domain (the section after the @ sign) is your clue this a scam.
• Do not respond to emails from companies that do not know your name. Legitimate companies that send you emails know your name. Scammers do not.
• Block pop-ups in your browser. You can allow pop-ups on a case-by-case basis but be aware that they can often be phishing or malware attempts. When you see a pop-up, close it by clicking on the “X” in the upper corner of the window rather than using the cancel button (which can sometimes lead to a phishing site).
• Never give out personally identifiable information, such as your social security number or birth date, or financially sensitive information over the internet unless the website is secure and begins with https:. All legitimate websites have a contact phone number. If you are uncertain, double-check by calling the company to ensure the website is valid or to provide the information over the phone.

What should we do if think we have been phished?

• Change your password at the company or service where you have been hacked and contact the company immediately. 
• If you have been phished at New York Tech, please call the ITS Help Desk at 516.686.1188 or submit a ticket via nyit.edu/itshelp after hours (weekends or after 7 p.m. during the week)
• Go to IdentifyTheft.gov to take specific steps to report and recover from identity theft.

Is it possible to fully prevent phishing attacks at New York Tech? 
In the words of Ralph Waldo Emerson, “Build a better mousetrap, and the world will beat a path to your door.”Scammers are creating new and more innovative ways every day to attempt to trick users to part with their valuable personal information. There is no perfect system to completely eliminate phishing because scammers are committed to finding new ways of stealing your information to make money. As I mentioned earlier, it is a very profitable business.

Artificial intelligence and resourceful minds looking at this prevalent issue may come up with a solution in the future, but it does not exist today. Who knows? It could be a New York Tech student who builds the “better mousetrap”!