You receive an email from someone who claims to be a representative from your credit card company

The classic cold-call scam. The scammers call you and claim to be from the tech support team of Microsoft or another company. They offer to help solve your computer "problems".

Scammers often use publicly available phone directories, so they might know your name and other personal information when they call you. They might even guess what operating system you're using.

Once they've gained your trust, they might ask for your username and password or direct you to a legitimate website to install software that will let them access your computer to "fix it". If you install the software and provide credentials, your computer and your personal information are vulnerable.

Although law enforcement can trace phone numbers, cybercriminals often use disposable mobile phones, spoofed caller ID, or stolen mobile phone numbers. Treat all unsolicited phone calls with skepticism. Don't provide any personal information.

Warning: If you receive an unsolicited call from someone claiming to be from Microsoft Support, hang up. We do not make these kinds of calls.

As any type of fraud, phishing can be extremely damaging and has already claimed victims on campus. Use these pages to find out more about phishing - what it is and what risks it poses. Don't get hooked! Learn how to protect yourself against phishing scams and identity theft.

What is Phishing?

Phishing refers to different types of online scams that ‘phish’ for your personal and financial information (e.g., your passwords, Social Security Number, bank account information, credit card numbers, or other personal information).

These messages claim to come from a legitimate source: a well-known software company, online payment service, bank, or other reputable institution. Some will use an organization's email address, logo, and other trademarks to fake authenticity. Phishing messages may also appear to be from a trusted friend or colleague. See below for details on phishing attacks at UMass Amherst.

Phishing messages can come from a growing number of sources, including:

• Email
• Phone calls
• Fraudulent software (e.g, anti-virus)
• Social Media messages (e.g., Facebook, Twitter)
• Advertisements
• Text messages

What is spear phishing?

More sophisticated attacks, known as spear phishing, are personalized messages from scammers posing as people or institutions that you trust. They often collect identifiable information about you from social media or the compromised account of someone you know to make their messages more convincing. Never transmit sensitive information over email or social media, even if the message requesting information appears to be legitimate. 

Signs of phishing include:

• Ultimatum: An urgent warning attempts to intimidate you into responding without thinking. ‘Warning! You will lose your email permanently unless you respond within 7 days’.
• Incorrect URLs: Scammers may obscure URLs by using hyperlinks that appear to go to a reputable site. Hover your mouse over any suspicious links to view the address of the link. Illegitimate links often contain a series of numbers or unfamiliar web addresses.
• No signature or contact information: Additional contact information is not provided.
• Too good to be true offer: Messages about contests you did not enter or offers for goods or services at an unbelievable price are likely fraudulent.
• Style inconsistencies: Pop up windows that claim to be from your operating system or other software may have a different style or colors than authentic notifications. Messages that claim to be from a reputable organization may be missing branding aspects such as a logo.
• Spelling, punctuation, or grammar errors: Some messages will include mistakes. ‘Email owner that refuses to update his or her Email, within Seven days’
• Attention-grabbing titles: "Clickbait" titles (e.g., "You won't believe this video!") on social media, advertisements or articles are sensationalist or attention-grabbing and sometimes lead to scams.

For more information, see the FTC's page about Phishing.

What are the Risks?

Don’t be fooled! These are fraudulent communications that in most cases have nothing to do with the institution they claim to be affiliated with. Opening, replying, or clicking the links provided in these emails poses a serious security risk to you and the campus network.

Some of the risks involved are:

• Identity theft: Once you provide your personal information in response to a phishing attempt, this information can be used to access your financial accounts, make purchases, or secure loans in your name.
• Virus infections: Some fraudulent emails include links or attachments that, once clicked, download malicious software to your computer. Others may also install keystroke loggers that record your computer activity.
• Loss of personal data: Some phishing attacks will attempt to deploy crypto malware on your machine, malicious software that encrypts files on a victim’s computer and denies owners access to their files until they pay a ransom.
• Compromising institutional information: If your university IT account is compromised, scammers may be able to access sensitive institutional information and research data.
• Putting friends and family at risk: If your personal information is accessed, attackers will scan your accounts for personal information about your contacts and will in turn attempt to phish for their sensitive information. Phishers may also send emails and social media messages from your accounts in an attempt to gain information from your family, friends, and colleagues.

Phishing Attacks at UMass Amherst

Members of the university community may have received more targeted phishing emails, asking specifically for their IT Account NetID and/or password. These fraudulent emails claim to be official university communications (or otherwise originate from a legitimate office on campus). Most will ask you to ‘immediately update’ your personal information or face serious consequences.

Don’t be fooled! These emails do not come from UMass Amherst IT/UMass Amherst. They are fraudulent messages attempting to compromise your personal information.

UMass Amherst IT will never ask for your IT Account password or other sensitive information via email or link.

Note: UMass Amherst IT uses sophisticated email filtering software to automatically detect and block SPAM, phishing, malware, etc. To help mitigate risks, the filtering software and IT staff may take action including blocking or removing these types of emails.

The email filtering software is not foolproof and some unwanted messages may get through. It is critical that you learn to identify phishing scams, take the appropriate steps to protect your computer and your information, and report messages to IT.

Visit this page for instructions on how to report phishing messages to UMass Amherst IT.

What are the different types of phishing attacks?

Phishing attacks are social engineering attacks, and they can have a great range of targets depending on the attacker. They could be generic scam emails looking for anyone with a PayPal account.

Phishing can also be a targeted attack focused on a specific individual. The attacker often tailors an email to speak directly to you, and includes information only an acquaintance would know. An attacker usually gets this information after gaining access to your personal data. If the email is this type, it is very difficult for even the most cautious of recipients not to become a victim. PhishMe Research determined that ransomware accounts for over 97% of all phishing emails.

What is spear phishing?

Fishing with a pole may land you a number of items below the waterline – a flounder, bottom feeder, or piece of trash. Fishing with a spear allows you to target a specific fish. Hence the name.

Spear phishing targets a specific group or type of individual such as a company’s system administrator. Below is an example of a spear phishing email. Note the attention paid to the industry in which the recipient works, the download link the victim is asked to click, and the immediate response the request requires.

What is whaling?

Whaling is an even more targeted type of phishing that goes after the whales – a marine animal even bigger than a fish. These attacks typically target a CEO, CFO, or any CXX within an industry or a specific business. A whaling email might state that the company is facing legal consequences and that you need to click on the link to get more information.

The link takes you to a page where you are asked to enter critical data about the company such as tax ID and bank account numbers.

What is smishing?

Smishing is an attack that uses text messaging or short message service (SMS) to execute the attack. A common smishing technique is to deliver a message to a cell phone through SMS that contains a clickable link or a return phone number.

A common example of a smishing attack is an SMS message that looks like it came from your banking institution. It tells you your account has been compromised and that you need to respond immediately. The attacker asks you to verify your bank account number, SSN, etc. Once the attacker receives the information, the attacker has control of your bank account.

What is vishing?

Vishing has the same purpose as other types of phishing attacks. The attackers are still after your sensitive personal or corporate information. This attack is accomplished through a voice call. Hence the “v” rather than the “ph” in the name.

A common vishing attack includes a call from someone claiming to be a representative from Microsoft. This person informs you that they’ve detected a virus on your computer. You’re then asked to provide credit card details so the attacker can install an updated version of anti-virus software on your computer. The attacker now has your credit card information and you have likely installed malware on your computer.

The malware could contain anything from a banking Trojan to a bot (short for robot). The banking Trojan watches your online activity to steal more details from you – often your bank account information, including your password.

A bot is software designed to perform whatever tasks the hacker wants it to. It is controlled by command and control (C&C) to mine for bitcoins, send spam, or launch an attack as part of a distributed denial of service (DDoS) attack.

What is email phishing?

Email phishing is the most common type of phishing, and it has been in use since the 1990s. Hackers send these emails to any email addresses they can obtain. The email usually informs you that there has been a compromise to your account and that you need to respond immediately by clicking on a provided link. These attacks are usually easy to spot as language in the email often contains spelling and/or grammatical errors.

Some emails are difficult to recognize as phishing attacks, especially when the language and grammar are more carefully crafted. Checking the email source and the link you’re being directed to for suspicious language can give you clues as to whether the source is legitimate.

Another phishing scam, referred to as sextortion, occurs when a hacker sends you an email that appears to have come from you. The hacker claims to have access to your email account and your computer. They claim to have your password and a recorded video of you.

The hackers claim that you have been watching adult videos from your computer while the camera was on and recording. The demand is that you pay them, usually in Bitcoin, or they will release the video to family and/or colleagues.

What is search engine phishing?

Search engine phishing, also known as SEO poisoning or SEO Trojans, is where hackers work to become the top hit on a search using a search engine. Clicking on their link displayed within the search engine directs you to the hacker’s website. From there, threat actors can steal your information when you interact with the site and/or enter sensitive data. Hacker sites can pose as any type of website, but the prime candidates are banks, money transfer, social media, and shopping sites.