Phishing emails can target anyone. Some of them are so sophisticated they will fool even the best of us into clicking links or attachments, and/or providing information before we realize they are bogus. It’s possible that this has happened to you, but the important thing is that you realized that it was a scam and are taking steps to rectify the situation.
The steps outlined below should be carefully completed as soon as possible. If you have any questions after you have reviewed these instructions and attempted/completed the suggested steps, contact IT Support for further assistance.
First, if at any time you feel physically threatened, you should contact your local police department at once. If you are on campus, you should also contact Public Safety.
Report the Phishing Incident
Phishing attacks are often deployed on a large scale, and target many people. Timely reporting of the incident can help ensure others who might have received the same phishing email don’t also respond to it.
Phishing emails can be reported quickly by using the “Report Message” tool in Outlook. It should be located in the toolbar at the top of the email.
Change Your Email and Windows or MacOS Password.
Malware can harvest your email and login passwords; therefore, you should change those passwords even if you did not supply them. If possible, change passwords from a different PC while the malware scans are running; otherwise, wait until the scans complete and either report no infections or until the scans have cleaned any malware they detected.
If you use the same password for other accounts, change those as well. Identity thieves know people reuse passwords and will try your password with online banks, social media, and other accounts. If you find that you are locked out of any of your accounts, contact the company’s customer service or security department.
Scan Your PC or Mac for Malware, Viruses, or Spyware.
Since email attachments and links are primary methods used to distribute malware, the next step is to run a complete system scan with anti-virus software.
If you are using a University laptop or desktop, you can contact the Helpdesk to assist with the scan.
Scan with Your Normal Anti-Virus Software
On your home computer, your anti-virus software may display warnings, informing you of the attack (be sure the warning is actually from your anti-virus company). However, in many cases, you will need to initiate a system scan manually. In either case, if your antivirus software reports problems, you should follow the actions it recommends. This usually involves either quarantining the infected files, cleaning the files, or deleting the files. Most anti-virus software will have links you can follow to learn more about the specific infection. When in doubt as to whether files are malicious, you should quarantine the files. If quarantining is not possible, then delete the files.
Windows Defender Scan
On a Windows 10 PCs, Microsoft Windows Defender’s Advanced scans menu offers the option of a deep scan that is performed offline after Windows Defender reboots your system. While a deep scan takes longer than a normal anti-virus scan, it can detect or fix problems missed by normal system scans. Therefore, this deep scan option provides a valuable “second opinion” after a normal system scan. Windows Defender is available on Windows 10 PCs even if you use another anti-virus program such as McAfee or Symantec.
To access the Advanced scans menu, open Settings, select the Updates & Security option, select the Windows Security menu option, select Virus & threat protection from the Protection areas menu, and click on the link for Run a new advances scan.
On a Windows 11 PC, you can perform a full scan by following these steps: open the Start menu, search for “Window Security” and click the top result to open the app. Then click on “Virus & threat protection.” Under the “Current threats” section, click on “Scan options”. Select the “Full Scan” option to check the entire system for viruses and any other type of malware. Click the “Scan now” button. Once you complete the steps, Microsoft Defender Antivirus will scan the computer for viruses and other types of malware. If anything is detected, the antivirus will remove (or quarantine) the threats automatically.
MAC
While Macs are generally less vulnerable to malware than Windows PCs, there are still risks of infection. There are various antivirus software apps available in the Mac App Store. Select the app of your choice and follow the prompts to install it and run a scan.
Check Email Forwarding Rules, Suspicious Sent Mail and Deleted Items, and for New Folders
In addition to harvesting passwords, malware may allow criminals to access your email accounts. Criminals may search through your emails for information that they can use to steal your identity, they may use your account to send or receive additional phishing emails, or they may use your account to send emails to your employer, banks, financial institutions, or medical providers. Examples of the types of emails that might be sent from your account include:
- address change requests to divert payments and refund checks, replacement credit or debit cards, blank check orders, or account statements;
- change requests for transaction verification and transaction notification email address or telephone numbers so that the criminals will be able to authorize fraudulent transactions or to divert notifications that would alert you to problems;
- change requests for account and employment information such as direct deposit information for wages or government benefits.
Forwarding Rules, etc.
Email Inbox rules are normally used to automate routine processing of incoming emails, including selectively redirecting email to a Deleted Items or other folder or forwarding emails to another email account’s inbox. Criminals often set up forwarding rules to divert email before you see it. These rules may automatically forward emails to unknown email addresses or move them to the Deleted Items, Notes, Junk Email, or RSS Subscriptions folders.
In Office 365 (web version), check for Inbox Rules by:
- Clicking the Settings (gear) icon in the upper right of the Office 365 Outlook screen to open the Settings pane at the right of the screen;
- Click on “View all Outlook settings” at the bottom of the list;
- When the new window opens, make sure “Mail” is selected (on the left);
- Select each of the following one at a time (from the middle column) and review the rules (if any) that are set:
- Rules
- Sweep
- Junk Email – check the blocked senders and Safe Senders listed, and be sure they reflect your intentions. Is there someone on the blocked list that should not be there, or someone on the “Safe” list that you don’t recognize, or didn’t put there?
- Quick Steps
- Forwarding – Has forwarding rules been enabled to go to an email you don’t recognize?
If you find rules you do not recognize, this confirms that your email account was compromised. A typical rule might move all emails with a specific subject line such as “Can you do me a favor?” or “Exciting Job Offer” to another folder or email address. You should note the forwarding addresses and delete these rules.
Sent Mail
Check your Sent Mail folder for any evidence of scam or phishing emails that the attacker may have sent to your friends and business associates or to your students, employer, professors, financial institutions, insurance companies, or to your doctor or other medical providers. If the Sent Mail folder contains messages that you do not remember sending, this would confirm that your email account was compromised. While new scams emerge daily, subject lines for some common email messages that are sent from hacked email accounts include:
- Password check required immediately;
- Security alert;
- Change of password required immediately;
- A delivery attempt was made;
- Urgent press release to all employees;
- Deactivation of [email] in process;
- Revised vacation & sick time policy;
- UPS label delivery, 1ZBE312TNY00015011.
However, since the attacker could also have deleted those messages after sending them, a sensible precaution is to ask your most frequent correspondents if they received any suspicious emails from you after the phishing attack.
Deleted Items and Other Folders
Criminals will also use Deleted Items, Notes, Junk Email, RSS Subscriptions, or other obscure email folders as alternative Inboxes for conducting ongoing email conversations with potential scam victims. As with the Sent mail folder, if any other email folder contains messages that you do not remember sending, particularly common hacked-account messages such as those listed above, this would confirm that your email account was compromised.
Confidential Information in Email Messages
While email does not provide adequate security for highly confidential content, many people continue to use email for communicating information that can be used for perpetrating fraud and identity theft. Some examples of the types of information that transform a routine phishing incident into full-fledged identity theft include:
- Social Security Numbers;
- credit, debit, or ATM card numbers, PIN codes, expiration dates, or security codes;
- account numbers and ACH routing numbers for authorizing direct debits;
- bank or financial account numbers, particularly if the email included an account PIN or other access credentials;
- driver’s license or other state-issued ID card numbers;
- health insurance information including member IDs, provider numbers, group numbers, or the name of the insured’s primary care physician;
- passwords, login IDs, answers to security questions, and other account information for email, banking, financial, social media, or other online accounts;
- income tax documents, financial aid applications, employment and salary data, and other nonpublic financial information.
If any similar data was included in your email messages, it is safest to assume that it was compromised and follow the recommendations in the Precautions if You Divulged Information section of this document.
Precautions if You Divulged Information
- If you supplied your Cell Phone Number and the criminal calls or texts you, block calls from the criminal.
- If you supplied financial information, such as Credit Card Number or Bank Account or Checking Account Information, you need to contact your bank or credit card company immediately to prevent fraudulent transactions. Their customer service or fraud reporting lines should be printed on the back of your credit or debit card. Check your credit card statements carefully. If you discover any unauthorized charges, you should dispute the transactions by sending a letter to the credit card company at the address listed on the statement for this purpose, not the address for sending payments. The Federal Trade Commission provides a sample letter at https://www.consumer.ftc.gov/articles/0385-sample-letter-disputing-billing-errors.
- If you supplied your Social Security Number, Driver’s License Information, or other personal information, you need to take steps to protect yourself from Identity Theft. Request a free credit report to verify that credit accounts have not been opened in your name. Free annual credit reports covering Equifax, Experian, and TransUnion are mandated by the Fair Credit Reporting Act (FCRA) and are available from https://www.annualcreditreport.com or by calling 1-877-322-8228. You should look through each of your credit reports carefully:
- Check for accounts you do not recognize, especially accounts opened recently and look in the inquiries section for names of creditors from whom you have not requested credit.
- Look in the personal information section for any address listed where you has never lived. Identity thieves often submit address change requests to divert credit card statements and bills so that victims remain unaware of the fraudulent transactions.
- If you find items you do not understand on your report, call the credit bureau at the number on the report. Credit bureau staff will review yours report with you. You should make note of any account or transaction that cannot be explained.
- Consider placing a fraud alert or credit freeze on your accounts. You can place a free, one-year fraud alert by contacting any one of the three major credit bureaus. That company must tell the other two.
Finally, if you discover any fraudulent transactions, file reports with the Federal Trade Commission’s IdentityTheft.gov web site, your local police department, and the FBI’s Internet Crime Complaint Center (IC3).
Moving Forward
There are basic precautions you can take to reduce the chances of infection on your PC or Mac.
- Do not using an administrative account for everyday use. Use it only to install software and updates/patches. (this only applies to Windows PCs);
- Be sure to installed all current Windows or MacOS updates and patches when they are released; and
- Use anti-virus software that offers real-time protection, and run virus detection scans regularly. Be sure to keep current with the software’s updates.
- Make sure multi-factor authentication (MFA) is active. MFA is extra security that requires two or more credentials to log into your accounts. The extra credentials you need to log in to your account fall into three categories:
- something you know — like a passcode, a PIN, or the answer to a security question.
- something you have — like a one-time verification passcode you get by text, email, or from an authenticator app; or a security key
- something you are — like a scan of your fingerprint, your retina, or your face
Multi-factor authentication makes it harder for scammers to log in to your accounts if they do get your username and password.
Phishing Email Detection Tips
Despite the technological advances of anti-virus software and early detection efforts, phishing attempts are here to stay. With phishing attempts becoming craftier, the best offense is a good defense! So, it’s important to educate ourselves (and those we care about) on how to detect phishing attempts for our own protection, and for the protection of the La Salle community.
Here are 10 easy ways to detect a phishing email and stop scammers:
1. Check the sender
Expand the email address to make sure it appears legitimate and is spelled correctly. Is the sender familiar – an individual you know or a business you regularly engage with?
2. Hover before you click
Verify the link address matches the link’s description. Phishers are capable of copying email templates and branding to make emails appear as if they’re from a trusted sender. However, they’ll swap links with fraudulent ones, leading users right into a trap.
In the case of an attachment, hover over the attachment (but don’t open it) to see where it will actually take you.
3. Don’t trust urgency
Phishing emails commonly use urgency to bypass your better judgment. Again, if the email isn’t from an individual or business you regularly communicate with, there is no need for urgency.
4. Practice caution with attachments
An attacker can quickly install malware if you open an attachment. Cybercriminals commonly use attachments with intriguing names, but resist the urge to open them!
5. Check spelling
Malicious emails are known for bad grammar and spelling – an easy red flag.
6. Check the email signature
Most sincere senders include a full email signature that matches their address. If a sender’s email signature contains contact information, a quick Google search could help verify they are who they say they are.
7. Protect personal information
Legitimate companies rarely ask for sensitive personal information via email. If you’re concerned about a request, you can always call the company’s phone number listed on their website and speak with someone to confirm the validity.
8. Check for vague introductions
“Valued Customer” or similar intros are potential signals the email is from an outsider sending mass communications and waiting for someone to bite.
9. Trust your gut
If something seems slightly off, don’t doubt your intuition! Make a call or report the email as soon as possible.
10. Report suspicious emails
Tech support and management would rather review a suspicious email than put an entire organization at risk. Do your part and share suspicious emails with your IT team by using the “Report Message” tool located in the toolbar at the top of your email.