Phishing Scams And How To Avoid Them
September 30, 2016
Your security comes first
At USPS we take our cyber security responsibilities seriously. Protecting the data of our customers, partners, vendors and suppliers is paramount. To help keep this information secure and protected, we have implemented comprehensive policies and procedures for avoiding phishing and other forms of social engineering attacks.
Phishing is a scam aimed at tricking victims to hand over private information to criminals.
Be suspicious of unusual or irregular emails and don’t provide private information to any unverified source.
What is phishing?
Phishing is a type of scam where cybercriminals fool unsuspecting victims into either downloading malware or turning over personal information like credit card numbers, Social Security numbers and passwords—sometimes even directly asking for money. They are literally “fishing” for data, but using phony appearances, hence the “ph” spelling.
How phishing works:
Cybercriminals often masquerade as legitimate businesses, using email, text message and phone calls to target their victims for info.
- An attacker will pose as a credit card company or financial institution or charity.
- Victims will get an email saying there is some problem
- Victims are usually asked to click on some link and supply their account information or access to their computer to clear it up.
- This link is a fake site and the info will simply go straight to the attacker, who can now access your real accounts.
How to recognize phishing
Phishing takes a variety of forms – spear-phishing, whaling, vishing, all falling into the “social engineering” category of attack. What they all share in common is these attacks, unlike malware, require the victim to take an action of some kind that results in personal info being exposed. The most common types of “bait” used in phishing scams are:
- An email containing an unknown link and a message urging you to click
- An email masquerading as a “security update”
- A suspicious attachment that you are asked to open and review
- A request asking you to log in to a familiar account or provide personal data so the sender can “verify” your information
- Some form of call-to-action that requires “immediate attention” and action
- A text message from an unknown sender asking you to take some action and/or provide information so you can claim an award
- A phone call from an unknown, unidentified or unverified phone number requesting personal or work-related information
- A call from a bank or help-desk organization asking for PIN, account information or login credentials
At USPS, we have very specific policies on how to deal with phishing. After an employee identifies a phishing email, they are instructed to avoid clicking on embedded links or attachments and report the message to the Postal Service’s Cyber Security Operations Center (CSOC). We stress to our employees that it’s their duty to report the message in order to keep USPS information safe by heeding the following steps:
- Prepare – While viewing the suspect message, employees are instructed to press the “Control,” “Alt” and “F” keys simultaneously to create a new email with the suspicious message attached
- Send – Send the email to the appropriate email address for the CyberSecurity Operations Center
- Delete – Delete the suspicious message from their inbox without responding to the sender or forwarding the message to anyone else
How to avoid becoming a phishing victim
Trust your instincts – If an email seems suspicious, delete it without opening.
Don’t send personal or financial information to anyone
As a general rule, don’t reveal personal or financial information to anyone unless you know them. Do not respond to email or text solicitations for this information.
Use secure sites beginning with “https:”
If you’re sending sensitive information over the internet, check the security of the website by making sure the website’s URL uses “https:” instead of just “http:”. Often there will be a lock icon or other indication preceding the URL signaling that the webpage is secured.
Verify the website’s URL
Malicious websites often look identical to a legitimate site (such as your bank) but the URL may be spelled slightly differently or a different domain (e.g., .com vs. .net) is used.
Contact the company directly
If you aren’t sure if a request is legitimate, verify it by contacting the company directly. Look up the contact information yourself—not by using the info provided in the suspicious email or text.
Do some research
Known phishing attacks are tracked and identified by groups like the Anti-Phishing Working Group. You can also report phishing to the Anti-Phishing Working Group (APWG).
Keep your computer up to date
As a general rule it is always the best practice to install OS updates and other app updates as they become available in order to have the latest security protection.
Review the greeting
Know the difference between a generic salutation or inconsistent greeting you receive. If it seems odd or out of place, it probably isn’t real.
Check for mistakes
Errors in grammar and spelling can indicate a phishing attempt, as these often come from foreign countries where English is a second language.
Wait before you act
Be very suspicious of communications that require “Immediate action!”
Look before you click
If a link is included scroll over it and the destination address will appear. Validate that the link and the destination address match.
Always question attachments
Know what you’re opening and make sure it’s from a reliable source. If you’re not sure, pick up the phone and check.