Phishing emails can target anyone. Some of them are so sophisticated they will fool even the best of us into clicking links or attachments, and/or providing information before we realize they are bogus. It’s possible that this has happened to you, but the important thing is that you realized that it was a scam and are taking steps to rectify the situation.
The steps outlined below should be carefully completed as soon as possible. If you have any questions after you have reviewed these instructions and attempted/completed the suggested steps, contact IT Support for further assistance.
Note: If at any time you feel physically threatened, you should contact your local police department at once. If you are on campus, you should also contact Public Safety.
Report the Phishing Incident
Phishing attacks are often deployed on a large scale, and target many people. Timely reporting of the incident can help ensure others who might have received the same phishing email don’t also respond to it.
Phishing emails can be reported quickly by using the “Report Message” tool in Outlook. It should be located in the toolbar at the top of the email.
Change Your Email and Windows or MacOS Password.
Malware can harvest your email and login passwords; therefore, you should change those passwords even if you did not supply them. If possible, change passwords from a different PC while the malware scans are running; otherwise, wait until the scans are completed and show that no infections were detected or that any malware that was detected has been quarantined or cleaned.
If you use the same password for other accounts, change those as well. Identity thieves know people reuse passwords and will try your password with online banks, social media, and other accounts. If you find that you are locked out of any of your accounts, contact the company’s customer service or security department.
Scan Your PC or Mac for Malware, Viruses, or Spyware.
Since email attachments and links are primary methods used to distribute malware, the next step is to run a complete system scan with anti-virus software.
Scan Your La Salle Computer
La Salle computers are equipped with licensed anti-virus software. If you are using a University laptop or desktop, navigate the cursor to the lower taskbar of your main display, and click on the carot (^) icon on the right-hand side. Several icons will appear. Right-click on the blue "M" icon for Malwarebytes Nebula Agent (hover your cursor over the icon to see the name of the application) and click "Start Threat Scan." The scan may take approximately 20-30 minutes to run. Take a screen shot of the results and save them in case they are needed for future reference.
If you need assistance with this scan, you can contact IT Support through the IT Service Portal or by calling 215-951-1860.
Scan Your Personal Device with Anti-Virus Software
It is recommended that you protect your home computer with strong anti-virus protection. Once installed, your anti-virus software may display warnings, informing you of threats (be sure the warning is actually from your anti-virus company, not an impostor). In situations where you feel it may be necessary to run an immediate scan, you may initiate a system scan manually from the application. Do not click on the link in the pop-up notification. If your anti-virus software reports problems, you should follow the actions it recommends. This usually involves quarantining or deleting the infected files. Most anti-virus software will have links you can follow to learn more about the specific infection. When in doubt as to whether files are malicious, you should quarantine the files. If quarantining is not possible, then delete the files.
Windows Defender Scan on Personal Devices
On a Windows 10 PC, Microsoft Windows Defender’s Advanced scans menu offers the option of a deep scan that is performed offline after Windows Defender reboots your system. While a deep scan takes longer than a normal anti-virus scan, it can detect or fix problems missed by normal system scans. Therefore, this deep scan option provides a valuable “second opinion” after a normal system scan. Windows Defender is available on Windows 10 PCs even if you use another anti-virus program such as McAfee or Symantec.
To access the Advanced scans menu, open Settings, select the Updates & Security option, select the Windows Security menu option, select Virus & threat protection from the Protection areas menu, and click on the link for Run a new advanced scan.
On a Windows 11 PC, you can perform a full scan by following these steps: open the Start menu, search for “Windows Security” and click the top result to open the app. Then click on “Virus & threat protection.” Under the “Current threats” section, click on “Scan options”. Select the “Full Scan” option to check the entire system for viruses and any other type of malware. Click the “Scan now” button. Once you complete the steps, Microsoft Defender Anti-virus will scan the computer for viruses and other types of malware. If anything is detected, the anti-virus will remove (or quarantine) the threats automatically.
MAC
While Macs are generally less vulnerable to malware than Windows PCs, there are still risks of infection. There are various anti-virus software apps available in the Mac App Store. Select the app of your choice and follow the prompts to install it and run a scan.
Check Email Forwarding Rules, Suspicious Sent Mail and Deleted Items, and for New Folders
In addition to harvesting passwords, malware may allow criminals to access your email accounts. Criminals may search through your emails for information that they can use to steal your identity, they may use your account to send or receive additional phishing emails, or they may use your account to send emails to your employer, banks, financial institutions, or medical providers. Examples of the types of emails that might be sent from your account include:
- address change requests to divert payments and refund checks, replacement credit or debit cards, blank check orders, or account statements;
- change requests for transaction verification and transaction notification email address or telephone numbers so that the criminals will be able to authorize fraudulent transactions or to divert notifications that would alert you to problems;
- change requests for account and employment information such as direct deposit information for wages or government benefits.
Forwarding Rules, etc.
Email Inbox rules are normally used to automate routine processing of incoming emails, including selectively redirecting email to Deleted Items or other folder, or forwarding emails to another email account’s inbox. Criminals often set up forwarding rules to divert email before you see it. These rules may automatically forward emails to unknown email addresses or move them to the Deleted Items, Notes, or Junk Email folders.
In Office 365 (web version), check for Inbox Rules by:
- Clicking the Settings (gear) icon in the upper right of the Office 365 Outlook screen to open the Settings pane at the right of the screen;
- Click on “View all Outlook settings” at the bottom of the list;
- When the new window opens, make sure “Mail” is selected (on the left);
- Select each of the following one at a time (from the middle column) and review the rules (if any) that are set:
- Rules
- Sweep
- Junk Email – check the blocked senders and Safe Senders listed, and be sure they reflect your intentions. Is there someone on the blocked list that should not be there, or someone on the “Safe” list that you don’t recognize, or didn’t put there?
- Quick Steps
- Forwarding – Have forwarding rules been enabled to go to an email you don’t recognize?
If you find rules you do not recognize, this confirms that your email account was compromised. A typical rule might move all emails with a specific subject line such as “Can you do me a favor?” or “Exciting Job Offer” to another folder or email address. You should note the forwarding addresses and delete these rules.
Sent Mail
Check your Sent Mail folder for any evidence of scam or phishing emails that the attacker may have sent to your friends and business associates or to your students, employer, professors, financial institutions, insurance companies, or to your doctor or other medical providers. If the Sent Mail folder contains messages that you do not remember sending, this would confirm that your email account was compromised. While new scams emerge daily, subject lines for some common email messages that are sent from hacked email accounts include:
- Password check required immediately;
- Security alert;
- Change of password required immediately;
- A delivery attempt was made;
- Urgent press release to all employees;
- Deactivation of [email] in process;
- Revised vacation & sick time policy;
- UPS delivery
- Need a Quick Favor
- Job Opportunity.
However, since the attacker could also have deleted those messages after sending them, a sensible precaution is to ask your most frequent correspondents if they received any suspicious emails from you after the phishing attack.
Deleted Items and Other Folders
Criminals will also use Deleted Items, Notes, Junk Email, RSS Subscriptions, or other obscure email folders as alternative Inboxes for conducting ongoing email conversations with potential scam victims. As with the Sent mail folder, if any other email folder contains messages that you do not remember sending, particularly common hacked-account messages such as those listed above, this would confirm that your email account was compromised.
Confidential Information in Email Messages
While email does not provide adequate security for highly confidential content, many people continue to use email for communicating information that can be used for perpetrating fraud and identity theft. Some examples of the types of information that transform a routine phishing incident into full-fledged identity theft include:
- Social Security Numbers;
- credit, debit, or ATM card numbers, PIN codes, expiration dates, or security codes;
- account numbers and ACH routing numbers for authorizing direct debits;
- bank or financial account numbers, particularly if the email included an account PIN or other access credentials;
- driver’s license or other state-issued ID card numbers;
- health insurance information including member IDs, provider numbers, group numbers, or the name of the insured’s primary care physician;
- passwords, login IDs, answers to security questions, and other account information for email, banking, financial, social media, or other online accounts;
- income tax documents, financial aid applications, employment and salary data, and other non public financial information.
If any similar data was included in your email messages, it is safest to assume that it was compromised and follow the recommendations in the Precautions if You Divulged Information section of this document.
Precautions if You Divulged Information
- If you supplied your Cell Phone Number and the criminal calls or texts you, block incoming calls from that number.
- If you supplied financial information, such as Credit Card Number or Bank Account or Checking Account Information, you need to contact your bank or credit card company immediately to prevent fraudulent transactions. Their customer service or fraud reporting lines should be printed on the back of your credit or debit card. Check your credit card statements carefully. If you discover any unauthorized charges, you should dispute the transactions by sending a letter to the credit card company at the address listed on the statement for this purpose, not the address for sending payments. The Federal Trade Commission provides a sample letter at https://www.consumer.ftc.gov/articles/0385-sample-letter-disputing-billing-errors.
- If you supplied your Social Security Number, Driver’s License Information, or other personal information, you need to take steps to protect yourself from Identity Theft. Request a free credit report to verify that credit accounts have not been opened in your name. Free annual credit reports covering Equifax, Experian, and TransUnion are mandated by the Fair Credit Reporting Act (FCRA) and are available from https://www.annualcreditreport.com or by calling 1-877-322-8228. You should look through each of your credit reports carefully:
- Check for accounts you do not recognize, especially accounts opened recently and look in the inquiries section for names of creditors from whom you have not requested credit.
- Look in the personal information section for any address listed where you have never lived. Identity thieves often submit address change requests to divert credit card statements and bills so that victims remain unaware of the fraudulent transactions.
- If you find items you do not understand on your report, call the credit bureau at the number on the report. Credit bureau staff will review your report with you. You should make note of any account or transaction that cannot be explained.
- Consider placing a fraud alert or credit freeze on your accounts. You can place a free, one-year fraud alert by contacting any one of the three major credit bureaus. That company must tell the other two.
Finally, if you discover any fraudulent transactions, file reports with the Federal Trade Commission’s IdentityTheft.gov web site, your local police department, and the FBI’s Internet Crime Complaint Center (IC3).
Moving Forward
There are basic precautions you can take to reduce the chances of infection on your PC or Mac.
- Do not using an administrative account for everyday use. Use it only to install software and updates/patches (this only applies to Windows PCs);
- Be sure to install all current Windows or MacOS updates and patches when they are released; and
- Use anti-virus software that offers real-time protection, and run virus detection scans regularly. Be sure to keep current with the software’s updates.
- Make sure multifactor authentication (MFA) is active. MFA is extra security that requires two or more credentials to log into your accounts. The extra credentials you need to log in to your account fall into three categories:
- something you know — like a passcode, a PIN, or the answer to a security question.
- something you have — like a one-time verification passcode you get from an authenticator app (preferred), or by text, or email;
- something you are — like a scan of your fingerprint, your retina, or your face
Multifactor authentication makes it harder for scammers to log in to your accounts if they do get your user name and password.
Phishing Email Detection Tips
Despite the technological advances of anti-virus software and early detection efforts, phishing attempts are here to stay. With phishing attempts becoming craftier, the best offense is a good defense! So, it’s important to educate ourselves (and those we care about) on how to detect phishing attempts for our own protection, and for the protection of the La Salle community.
Here are 10 easy ways to detect a phishing email and stop scammers:
1. Check the sender
Expand the email address to make sure it appears legitimate and is spelled correctly. Is the sender familiar – an individual you know or a business with which you engage regularly?
2. Hover before you click
Verify that the link address matches the link’s description. Phishers are capable of copying email templates and branding to make emails appear as if they’re from a trusted sender. However, they’ll swap links with fraudulent ones, leading users right into a trap. Hover your mouse over the link (but don't click on it) to see where it will actually take you.
In the case of an attachment, hover over the attachment (but don’t open it) to see where it will actually take you.
3. Don’t trust urgency
Phishing emails commonly use urgency to bypass your better judgment. Again, if the email isn’t from an individual or business you regularly communicate with, there is no need for urgency.
4. Practice caution with attachments
An attacker can quickly install malware if you open an attachment. Cybercriminals commonly use attachments with intriguing names to pique your interest. Resist the urge to open them!
5. Check spelling
Malicious emails are known for bad grammar and spelling – an easy red flag.
6. Check the email signature
Most sincere senders include a full email signature that matches their address. If a sender’s email signature contains contact information, a quick Google search could help verify they are who they say they are. If an email appears to come from a La Salle student or employee, a directory search in the mylasalle portal could help verify who they are. If the email still seems "off" to you, contact the person by using the directory information to confirm that the email is legitimate.
7. Protect personal information
Legitimate companies rarely ask for sensitive personal information via email. If you’re concerned about a request, you can always call the company’s phone number listed on their website and speak with someone to confirm the validity.
8. Check for vague introductions
“Valued Customer” or similar intros are potential signals the email is from an outsider sending mass communications and waiting for someone to bite.
9. Trust your gut
If something seems slightly off, don’t doubt your intuition! Make a call or report the email as soon as possible.
10. Report suspicious emails
Tech support and management would rather review a suspicious email than put the entire La Salle community at risk. Do your part and report suspicious emails to your IT team by using the “Report Message” tool located in the toolbar at the top of your email.