Phishing e-mails are a type of spam that attempt to impersonate another person or institution. They come in several forms and employ different methods, but their end goal is usually to extract information or steal money. However, with some attention to detail spam e-mails can be thwarted and usually ignored safely.
Most phishing e-mails come in the form of either malicious links or "favors" seemingly requested by people you know. These e-mails may target individual people, or they may target a large group of e-mail addresses.
For more information on how to handle spam e-mails, please see the instructions below.
Malicious Links and Hoaxes
Malicious links can appear to come from either people or institutions. These can take various forms, such as messages about shared documents or links to forms to fill out. These e-mails might also impersonate major companies, such as PayPal or Amazon, and lead you to log-in pages that look like official websites but are actually falsified.
In these e-mails, the spammer is trying to get you to either share sensitive information or download malware.
Fake E-mails from Friends and Colleagues
Sometimes you will receive suspicious e-mails allegedly sent by your colleagues. Scammers will often look up and impersonate who is in charge of an organization in order to add pressure.
These e-mails tend to start off short and ask for immediate response, sometimes saying that it is an urgent matter. They will refuse to communicate over the phone (usually citing a "meeting" they're going into) and will eventually ask for you to buy gift cards for them or transfer money to an account.
These e-mails may include malicious links or attachments, but typically do not since they are typically looking for sensitive information or codes. Often, these e-mails may come from addresses that look like a real e-mail at a glance (such as "[email protected]").
How To Identify Spam E-Mails
- Typos and misspellings, especially in e-mails purporting to be companies. It is extremely rare for a major company to send an e-mail with such errors.
- E-mail addresses that aren't quite right; if the e-mail is not @kean.edu or @exchange.kean.edu, it is not a real Kean e-mail.
- Always pay attention to the "domain" of the e-mail (what follows the @ in the e-mail).
- "@kean.edu" e-mails purporting to be from an organization or a member of the university are highly likely to be spam.
- It is possible for the e-mail address to be correct but still be spam, and it is also possible for someone to send an e-mail "from" the correct address without actually hacking into it.
- Short, unclear links, such as "bit.ly" or "tinyurl.com" links.
- These websites are not inherently malicious, but they are frequently used to hide where the link really goes.
- Check where the links in an e-mail actually lead. Even if a full link is written out, clicking on it may lead somewhere else.
- In some browsers, you can hover over the link and look in the bottom left corner to see the page it leads to.
- You can right click on a link and select "Copy Link Address" and paste it elsewhere to look at it.
- If at any point, a gift card (iTunes, Google Play, etc.) is requested in place of proper currency, the e-mail is definitely a scam.
- Consider if the information in the e-mail sounds familiar or normal.
- Is it claiming an account you don't recognize has been suspended?
- Is it claiming you have lost access to something, but you can still log into that page?
- Is a supposed colleague referencing people or events that you've never heard about?
- Is it being sent by someone who doesn't normally e-mail you or directly contact you?
(For more information on Phishing scams, please see the FTC's official article)
Best Practices To Fight Spam
- Stay calm and read carefully. Scammers want to make it seem like there is urgent trouble in order to scare you into doing what they want.
- Never click on a link that you are not expecting to receive.
- Avoid clicking on "shared document" links for files you are not expecting.
- Notify colleagues in advance when you're sharing a document with them through Microsoft.
- If possible, copy links into the URL/search bar at the top of your browser instead of clicking them.
- Always use your Kean or Exchange e-mail when corresponding with other members of the University.
- Never send passwords, social security information, etc. by e-mail or into a "Google Form" webpage.
- When in doubt, contact the sender (by phone, in person, or in a new e-mail message) or a colleague and confirm whether the e-mail is legitimate.
- Extend these practices to guarding your personal e-mails and text messages to ensure that no malware is installed on your devices.
- Change your passwords regularly and avoid re-using them between different accounts.
- if feasible, use a Password Manager to give each account a unique and difficult-to-guess password.
What To Do If You Receive A Spam E-mail
- If you receive a spam e-mail, share the e-mail information (including date, time, and sender e-mail address) in a new ticket on our portal.
- If you did not click on any links or attachments, no further action should be needed. If our investigation suggests that you may have been compromised by a hidden malware or script, then we will contact you.
- If you have clicked on any links or attachments, please let us know so that we can assist with any removal of malware or other necessary actions.
- If you entered sensitive information into a false page or form, contact IT immediately.
- In either of these cases, you should also immediately change your password.
- If you were impersonated by a spam e-mail, that does not necessarily mean your account has been compromised (especially in the case of improperly formatted e-mail addresses). Malware scans are scheduled to occur regularly. Still it is good practice to change your passwords regularly and get in touch with our office if you require assistance in assuring the security of your account and devices.
What To Do If You Think You Were Hacked
In the event that your account has been compromised, it's important to take immediate action to secure it.
- Contact IT
- Change your passwords
- Remove unfamiliar devices in account settings
For detailed instructions on what to do when your account is compromised, please see our Solution article for account compromises.