Keyboard

    News

    RSS feed

    Five tips to avoid falling for a phishing scam

    1/22/2025 1:00:00 PM

    A fishing hook on top on a keyboard with a key labeled

    Phishing is a common way for cyber criminals to obtain sensitive data from private individuals and organizations. 

    Phishing messages (as well as spear phishing and smishing) are designed to look legitimate so they can lure you in with malicious attachments and links, or trick you into revealing your password, Social Security number, credit card or bank account numbers – leaving you and your information vulnerable. 

    Once cyber criminals have your personal information, they can use it on legitimate sites to make purchases, change accounts or passwords, and run malicious software, also known as malware.

    More than 90 percent of successful cyberattacks start with a phishing email, according to the Cybersecurity & Infrastructure Security Agency (CISA). 

    What to know about phishing, spear phishing, and smishing

    Scammers send various types of messages that appear to be from legitimate sources, such as banks, retailers, or government agencies, to create a sense of urgency or to trick people into clicking on malicious links, calling fraudulent numbers, or providing personal details. 

    Phishing is a type of online scam that targets a large group of consumers by sending them an e-mail that appears to be from a well-known source.

    Spear phishing is an online scam where cyber criminals target a specific user to steal information or compromise the device of that person. Spear phishing are more direct and personal phishing emails.

    Smishing is a type of phishing scam that uses text (or SMS) messages to trick people into revealing sensitive information or downloading malicious software. 

    Five ways to protect yourself

    It is safe for you to open emails and texts to read them. It's what you do next that can be concerning and lead to identity theft, malware, or ransomware. With each email and text you receive:

    1. Stop and question it

    • Pause and take a minute to review the content.
    • Identify whether the message is from a known or trusted source.
    • If you weren't expecting the email or text and it directs you to click on a link or open an attachment, be suspicious and don't react right away. 

    2. Examine it

    • Look through the message for potential attack strategies in use. For example, does it include a threat, creates a sense of urgency, offers a discount or something for free, or wants you share personal information (Social Security number, bank account, credit card numbers), wire money, or codes for gift cards.
    • Before you open attachments or select links, hover the cursor over the text of the hyperlink to reveal the full URL. This should help you determine if it is a legitimate link or a link to something malicious. If you aren't sure, don't click it.
    • Look for indications something isn't right. Check the sender's name and their email address. If they don't match, it could be phishing. For example, if you receive an email from what looks like your bank, but the email address is from a gmail account, it likely isn't legitimate. 

    3. Don't respond immediately

    • Cyber criminals want you to react immediately. Don't fall for it.
    • Don't click on links, open attachments, or provide any information.
    • Never provide passwords, sensitive information, or financial data.

    4. Verify it

    • If the message looks like it’s from someone you know, call or message the sender separately to verify. Don't reply to the email – you could be replying to the cyber criminal.
    • If the message looks like it’s from a trusted organization such as your bank or credit card company, call them using contact information on their official website or your bank statement. Don't use the phone number or contact information in the suspicious email.

    5. Report it and delete it

    • Report suspicious emails or text messages by using the “Report phishing” or “Report spam” feature in your account and then delete the message. Many email platforms, including Gmail, Outlook, and Mac Mail, have phishing report features.
    • Contact the Federal Trade Commission at ftc.gov for security incident and identity theft resources.

    Useful resources

    • Learn /mnit/assets/Stay%20cyber%20smart%20-%20Recognize%20and%20report%20phishing_tcm38-710075.pdfhow to recognize and report phishing.
    • Use this /mnit/assets/Phishing%20information_tcm38-707940.pdfPhishing Awareness handout to learn about common strategies.
    • Use this /mnit/assets/Phishing%20Attack%20Prevention%20Handout_tcm38-707303.pdfPhishing Attack Prevention handout for email action steps.
    • Think you can spot the phishing email? Test your skills with the short Minnesota IT Services Phishing Quiz.

    Bonus cybersecurity tips

    Be smart about passwords: Use long, strong passwords or passphrases for each of your online accounts – bank, email, credit card, online stores, healthcare, etc. Use a unique password or passphrase for each account – don't use the same one for multiple accounts and don't make them all similar. To help you keep track of them, use a password manager.

    Keep your software updated: Software updates often contain critical security patches that protect you from cyber criminals exploiting security vulnerabilities in the software. Set your computer and/or mobile device to auto-update to keep your devices current, and to protect your devices and sensitive data.

    Cybersecurity

    back to top