Chances are you’ve received emails that appear to be from legitimate companies telling you your account has been suspended and you must log in immediately. Or providing you a link to tracking information for a package you didn’t order. These emails are usually phishing scams. Phishing is the fraudulent practice of sending emails pretending to be from reputable sources in order to steal passwords or sensitive personal or financial information, or to install malware on the target’s computer.
Unfortunately, MIT community members are popular targets for these sometimes difficult-to-detect scams. The best defense against phishing attempts is to not click on links or download attachments in any email that you weren’t expecting, even from someone you may know.
A very real threat
Email attachments and downloads from malicious websites are the top two malware delivery methods. Security firms estimate that 30 percent of phishing emails are opened, with a 10 percent chance that a phishing email will succeed in either stealing sensitive information or installing malware.
These emails are successful because they manipulate our sense of urgency, fear, curiosity, greed, and desire to please. It’s common for attackers to make it seem like the message is coming from the IT department of your school or employer, your manager, friends, or companies that you do business with.
In the past, phishing emails were easy to identify because of poor spelling, grammar, or formatting. Now attackers are employing increasingly sophisticated methods, using hypertext markup language (HTML) to mimic legitimate email and login pages.
Some users at MIT have been targets for “spear phishing” attacks, where scammers use freely available information to craft an attack just for you. They might spoof your manager’s email address, or send a malicious attachment related to your job role or field of study.
Proceed with caution
No one at MIT will ask you to send your password via email. If you need to reset your MIT Kerberos password at any time, visit ca.mit.edu/ca/cpw.
IS&T asks that you please forward all suspicious emails to firstname.lastname@example.org so our Security team can improve the Institute’s spam filters and block malicious senders and links. Be sure to forward such emails as an attachment to preserve information the team will need to do so.
If you would like to verify whether a suspicious email is legitimate, contact either your local IT department or forward it to the IS&T Security team at email@example.com.
If the email looks like it’s from a friend, coworker, or business associate, you can also try to verify the validity of phishy emails by contacting the sender. However, don’t reply to these emails directly. Instead of clicking ‘Reply,’ forward the email and type the address of the person you want to contact into the address field of your email client. Alternatively, reach out to the person another way, such as by phone, text, or chat.
Similarly, if you’re being asked to click on a link to validate your account with a website, go to the site directly in a browser without clicking on the link in the email and login as you normally would.
See examples of phishing emails
An article in the IS&T Knowledge Base provides some examples of “phishy” MIT emails. Recent phishing emails targeted at MIT are often shared on the MIT Phish Bowl on Flickr, as well as on our Twitter feed and Facebook page.
Other ways to protect yourself
In addition to running Sophos anti-virus and CrowdStrike to catch any malware you might have downloaded, IS&T recommends enabling automatic updates in your browser, applying software patches and operating system updates as they become available, backing up your computer regularly, and enabling operating system firewalls to protect your computer or laptop.
If you have questions about IT security, reach out to your local IT support or the IS&T Service Desk. If you’re concerned about an IT security threat or incident, contact the IS&T Security Team at firstname.lastname@example.org or IS&T Security.