Phishing is a successful, widely-used and technique of cybercriminals. They create a false narrative or impersonate a real person, to steal your information or take control of your devices. Though the university has tools and trained defenders watching your back, the sheer volume of attacks means you may come face to face with the adversary from your inbox.
What to watch out for:
- Unknown Sender: One of the first things to raise suspicion is an email from an unexpected sender. Not simply SPAM, attackers are intent on harm. Scrutinize the URL, make sure the domain (ie name@DOMAIN.suffix) is from a reputable or expected source. More, someone in your contacts list may have a compromised account that is being used to send bad emails from their legitimate address, so you’ll need to look closer.
- Authority or Urgency: Attackers often will pretend to be law enforcement or government agencies, scaring you into doing what they ask. If an email is threatening, you should be skeptical. Attackers will also try to get you to act before fully thinking. So be careful of phrases like ‘last warning’ or ‘must be done now’ language.
- Deceptive links: a common technique attackers will use is to send an email with a link that takes a user down a dangerous path. It is also common for attackers to use the link to send the user to a fake (spoofed) login page, usually disguised as a recognized page, like Amazon, Google, Facebook, etc. From there, they will ask for log-in credentials. Once they have those, they can log into the user’s real account and cause damage.
- Malicious file attachments: Though modern defense systems filter much of this traffic, it is still possible. An attacker attaches a malicious attachment, encouraging you to install or open it. Check the URL, make sure you are expecting that attachment, and that you trust the sender.
- Calls to action: An attacker often needs the help of the victim to carry out the attack. They look to build trust by impersonating a customer service or helpful representative. They will ask the victim to download and install software, or to give up credentials or information. If you are suspicious, hang up, disengage, and contact the company directly.
Report Suspicious Emails
Phishing prevention isn't just about individual safety—it's also a collective effort to maintain digital trust and security in everyday interactions. When you report a phishing or suspicious email, you are helping the university community as a whole. Reporting as a phish/suspicious provides several benefits:
- The email security team can verify if the email is legitimate or a phishing attack.
- If the email is determined to be malicious, the security team can prevent the same message from being delivered to other users.
- Malicious web sites can be taken down or blocked.
- A fast reaction to a phishing attack helps keep everyone safe. It’s better to report a legitimate email than to not report a malicious one. Be safe, not sorry!
You can also report suspicious emails sent from an external (non-Ohio State) sender, by clicking the "Report Suspicious" button in the warning banner which appears at the top of that external email. If the banner does not appear, please forward the email to report-phish@osu.edu.