Email Phishing Attacks - Fraud/Scams/Intimidation
Introduction
Please forward phishing emails you receive to phishing@amherst.edu. We will take any necessary actions, such as blocking the phishing websites, as soon as possible after receiving the phishing sample.
Please DO NOT forward examples of spam to phishing@amherst.edu. Spam is annoying marketing clutter, while phishing is an attempt to defraud you.
Email phishing attacks are a type of fraud. Phishing is the practice of sending email that looks like it is from an institution such as a college, university, bank, brokerage house, IRS, USA or other government, law firm, the Post Office, UPS, FedEx, Amazon, eBay, PayPal or any store or social media.
Spear Phishing is a even more sneaky type of phishing, it is the practice of sending targeted messages, such as sending messages to those affiliated with Amherst College that pretend to be from Amherst College, Amherst IT, or an Amherst department, as a few examples.
Sometimes the email says that your email account is over quota, that you must click a link to reactivate or update your account, or that your must provide your user information to keep your account active. A common successfull type of phishing says you have a package waiting and to click to claim it or get the tracking information. Another common successful type of phishing says there is a problem with your Apple ID and tries to capture your Apple ID log in credentials. These are all made up things designed to obtain your user name and password and/or direct you to an attack website.
Phishing emails often contain a link to a web page and/or explicitly ask you to enter your username and password. Once phishers have your account information, they could access your accounts for any sort of nefarious purpose including sending out large volumes of nuisance email or worse for identity and monetary theft. Attacks involving financial institutions or purchasing sites such as Amazon or iTunes often aim to steal money. Attacks asking for your Amherst username and password can be used to send thousands of spam messages from your account.
Other forms of phishing outside of email have slightly different names to reflect their platform but operate in much the same way. Here are a couple of examples:
- smishing - phish delivered via text or SMS messages
- vishing - phish delivered via voice messages either with a phone call or voice mail
Spam is the electronic equivalent of junk, unsolicited and unwanted mail. The ultimate goal of the sender is to make a sale.
How do you address each? For spam, you can set up a spam filter in your email. When it comes to phishing attempts: if something sounds or looks strange, it’s preferable that you do not take action based on the message, and instead report it to us for a recommendation by forwarding it to phishing@amherst.edu. When in doubt, throw it out!
Intimidation are emails that threaten you with harm, that threaten with blackmail including saying they "know what you did" or that claim to know your browser or purchasing history and will publicize this, that purport to be from the IRS or other government agency and threaten you with audits or prosecution, and that say you have to send money to someone espeically by requesting gift cards. Do not engage with and immediately report intimidation emails to your local authorities. If received while on campus contact the Amherst College Police Department.
Instructions
Protect yourself from phishing.
- Do not share any passwords with anyone ever.
- Amherst College, your bank, FedEx, the IRS, your credit card company, etc. will never ask for your password, not by email, phone, text message or in person.
- Financial institutions will communicate with you via secure messaging. Via regular email they will only notify you of waiting messages in their secure systems.
- Don't send sensitive information including social security number, bank account, or credit card numbers via unencrypted email or text message ever.
- Do not purchase gift or cash cards or wire money because an email or text directed you to do, even if the message claims to be from someone you know. Always verify via another method using a known good contact such as a phone call, slack, or even a hallway chat.
- One sign of a phishing attempt is that the message may end with a simple signature line such as "Amherst College", "IT", or "Tech Support".
- Never enter an account password into a spreadsheet, an email message, a text message or an unknown website.
- Use our guide to Know where you are logging in.
- Do not open or reply to phishing emails.
- Do not click any buttons, images or links in any phishing emails especially those that say "unsubscribe" or "remove me from mailing list". Clicking anything in a phishing email could install malware on your computer. It will also cause you to receive more email from the spammers because they will know your email account is active.
- Report intimidation messages to your local authorities.
Help us Protect the Herd by identifying and reporting phishing and other scams as soon as you see them.
Please forward phishing emails you receive to phishing@amherst.edu. We will take review and take any necessary actions to prevent others from being affected as soon as possible after receiving your phishing email sample.
If you reply to a phishing message with your Amherst user information call the IT Help Desk immediately at (413) 542 - 2526, email us at AskIt @amherst.edu or please fill out a Help Request Form.
If you replied to a phishing message with your financial account and/or credit card user information, first immediately notify your financial institution that your account is compromised. Second report any theft or fradulent use of your identity to the local police.