OIT is conducting an ongoing self-phishing program to aid the AU community in better recognizing phishing attempts. Since phishing is one of the primary methods malicious actors use to compromise credentials and other sensitive information, it is important that you be able to recognize such attempts and not respond to them. The best way to accomplish this is through training.
You may not realize it, but you are a phishing target at school, at work, and at home. When viewing email messages, texts, or social media posts, keep the following tips in mind in order to prevent stolen passwords, sensitive institutional or personal data, or private information.
Phishing messages may include a formal salutation, overly-friendly tone, grammatical errors, extensive spelling errors, or urgent requests, particularly for money or personal information.
Avoid opening links and attachments.
Even if you know the sender, don't click on links that could direct you to a bad website.
If the email references an AU website, access the site the way you would normally, rather than via the link.
Do not open attachments unless you are expecting a file from someone.
Wherever possible, utilize tools such as OneDrive, the AU shared drives, and SharePoint sites to exchange documents, rather than email.
Verify the source.
Check the sender's email address to make sure it is legitimate.
If in doubt, delete the message and notify the IT Help Desk.
Be suspicious of unsolicited phone calls, visits, or email messages from individuals, asking about employees or other internal information.
If an unknown individual claims to be from a legitimate organization, try to verify their identity directly with the company.
Do not provide personal information or information about AU, including its structure or networks, unless you are certain of a person's authority to have the information.
Where possible, refer requests of this type to public resources.
Do not reveal personal or financial information over email, and do not respond to email solicitations for this information, including following links sent in an email.
Do not send sensitive information over the Internet before checking a website's security.
Sites that accept personal information and logins should always be encrypted.
Pay attention to the URL of a website.
Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling, additional subdomains (e.g. yourbank.com.badsite.net), or a different domain (e.g. .com vs. .net).
If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly.
Do not use contact information provided on a website connected to the request; instead, check previous statements or public web sites for contact information.