INFORMATION SECURITY: PHISHING

What is Phishing?

Phishing is a deceptive technique where users are directed, often through official-looking emails, to provide personal information under false pretenses. These fraudulent messages may impersonate banks, police agencies, friends, coworkers, or other legitimate entities. The information requested can include credit card numbers, social security numbers, ATM PINs, passwords, and more. Recipients are typically asked to provide this information via email or by visiting official-looking websites, with threats of service discontinuation for non-compliance.

Note: Legitimate businesses and government entities are aware of phishing scams and would not ask you to send sensitive information in response to unsolicited e-mail. You should treat these messages like spam and never reply to them. Information Technology Services advises people to never send any passwords via an e-mail message for any reason.

How to Protect Yourself

For Students, Faculty, and Staff

Common Phishing Attacks

  • Scam Alerts
    Phishing scams come in various forms, from enticing users to "click here" for more information to fraudulent job offers with fake checks. There are also scams involving gift cards, false fines, phone-related schemes, and other job-related deceptions. It's crucial to stay informed and report any suspicious activity to the Help Desk and security@binghamton.edu.

    – Should you ever get any requests in print, please bring them to the ISSS Office or Financial Aid immediately, and they will review them and advise accordingly.

  • Protecting Your Personal Information
    It's crucial to be cautious, especially when asked for personal information over the phone. If someone claims to work for a U.S. government agency, always verify their identity. They will probably tell you that your only opportunity to resolve the issue is at the time of the call and that you have to take action now. Do not believe them. Ask for the person's full name, agency they are working for and a telephone number to call the person back. Never release personal information over the phone. For questions or concerns, contact the Help Desk.

  • Tuitions and Scams
    Some students have been targeted in scams promising better exchange rates for tuition payments. Never share your Binghamton University login information. Make all payments through Student Accounts using the official Flywire service for currency conversion.

PHISHING SCAMS

Start with the DON'Ts

1. DON'T fall for fake emails: Never disclose financial or personal information via email, regardless of how legitimate it may appear. Always research the email's authenticity. Binghamton University will direct any personal information requests through the myBinghamton portal ONLY.

2. DON'T click on random links: Don't turn into a fish out of water! Avoid randomly clicking links in emails and websites. Hover over links and senders first to ensure their legitimacy.

3. DON'T apply to suspicious job postings: Red fish, green fish, BLUE PHISH. You will be BLUE if you don't research job openings posted on Handshake or any others sent to you via Bmail.

4. DON'T connect to public Wi-Fi off campus: Avoid using public Wi-Fi, which can be a hotspot for hackers. Utilize Binghamton's VPN (virtual private network) for enhanced security. It's easy, and it's peace of mind.

And Apply the DO's for Online Security

1. DO use 2-factor authentication: Add an extra layer of security beyond your username and passwordLearn more about 2FA

2. DO run malware and virus protection: Keep your devices secure by using up-to-date browsers, virus protection, malware detection, software, and apps. Regularly check for updates for peace of mind. Learn more about malware and virus protection.

3. DO backup your work: Protect your valuable data by regularly creating backups. It's an extra layer of security and peace of mind. Learn more about how to backup your data.

4. DO protect your credentials: Binghamton University or any reputable organization will NEVER SEND EMAILS requesting your usernames, passwords, or other personal information.

MOST OF ALL - Stay in tune with the latest advice and assurance to avoid phishing scams by following Binghamton ITS (@BinghamtonITS) via Twitter and Instagram.

Social Engineering: Protecting Yourself from Deceptive Tactics

What is Social Engineering?

Social engineering encompasses a wide range of malicious activities accomplished through human interactions. It leverages psychological manipulation to trick individuals into making security mistakes or divulging sensitive information. This differs from social engineering within the social sciences, which does not contain the divulging of confidential information. It's basically when a hacker uses social contact techniques in a way to trick you into providing them with personal information that can break your security barrier.  Whether it be in person, by email, by text message, on the web, or over the phone.

Stay Alert When Dealing with Unfamiliar Individuals:
Be prepared when someone you do not know:

  • Asks you for information they're not authorized to access.
  • Uses urgency or pressure to obtain what they want, employing tactics like emotion, threats, fear, or rushing.
  • Utilizes technical jargon, confusing terms, grandiose offers, and other strategies to prompt a response
  • Requests you to bypass or ignore standard security policies and processes.
  • Pretends to be someone you know, even if their tone doesn't sound similar to that person.

If in doubt, report it to the Help Desk and security@binghamton.edu. Remember, we can only help you remain secure if you take measures to help yourself.

For a deeper understanding, review these examples of social engineering tactics:

Additional Guidance and Useful Links for Phishing Scam Avoidance

  1. Phishing Techniques: Stay informed about phishing scams and their evolving methods by following @binghamtonITS on Instagram and Twitter.You can also take advantage of security awareness training for more insights.
  2. Think Before You Click: Never click on a link unless you are certain of its authenticity. Hover over links to preview their destinations before clicking.
  3. Install an Anti-Phishing Toolbar: Adding an anti-phishing toolbar to your browser is a simple and effective way to protect yourself from malicious links.
  4. Verify a Site's Security: Always check that a website's URL begins with "https" and features a lock icon and certificate. This additional verification step is essential for your online safety.
  5. Regularly Check Your Online Accounts: Be vigilant and monitor your online accounts for any suspicious activity. Early detection is key to preventing security breaches.
  6. Keep Your Browser Up to Date: Outdated web browsers can harbor serious security vulnerabilities. Regularly update your browser to stay protected. Learn more about how to keep your browser up to date.
  7. Use Firewalls for Added Protection: Firewalls act as a barrier or shield, safeguarding your devices from data-based malware threats. Learn more about Firewall.
  8. Exercise Caution with Pop-Ups: A single click on a malicious pop-up can lead to serious consequences. Always proceed with caution.
  9. Never Share Personal Information: Safeguard your personal information to reduce the risk of identity theft. 
  10. Employ Antivirus Software: Ensure your devices' security by running up-to-date antivirus software, browser protection, malware prevention, and security applications. Regularly check for software and app updates to maintain your peace of mind
  11. Implement 2-Step Verification: Enhance your account security by adding an extra layer of protection. Utilize 2-step verification to safeguard your accounts effectively. The provided link offers guidance on implementing 2-step verification for your Bmail Google account.

For more comprehensive information on each of these steps and additional ways to avoid falling victim to phishing scams, you can visit phishing.org.

Helpful Links and Tips to Avoid Phishing Scams

Stay Informed

Google Help: How Phishing Works, Information Phishing Sites May Ask For and Reporting Phishing Sites

Gmail (Bmail) Help: Avoid Phishing Attacks:

Key Tips for Your Safety

Be Cautious with Suspicious Emails: When you receive an email asking for personal information, follow these steps:

    • Don't click any links or provide personal information until you've verified the email's legitimacy.
    • If the sender has a Bmail address, report the Bmail abuse to Google and/or contact the Help Desk.

When you get an email that looks suspicious, here are a few things to check for:

    • Check that the email address and the sender name match.
    • Check if the email is authenticated.
    • Hover over links before clicking to confirm their destination. Be cautious of misleading URLs.
    • Inspect message headers to ensure the "from" header isn't suspicious.

Secure Your Gmail (Bmail) Account: If you suspect your Gmail (Bmail) account has been compromised, take these steps:

Beware the Latest Scams

    • Stay ahead of the curve by watching out for the most recent scam emails. To learn more, read Adam Rowe's insightful article on Tech.com.

Additional Security Hints

Exercise Caution: Do not respond to emails requesting personal information.

Verify Website Authenticity: Refrain from providing personal information on websites unless you're certain about their legitimacy.

Be Wary of Clicking: If you're asked to "click here" to view a message or follow a link, always double-check with the sender. Hover over the link to scrutinize the URL.

Compromised Computer Accounts
There have been several e-mail phishing scams from accounts claiming to be Binghamton University e-mail addresses and asking recipients to send their passwords via a reply e-mail, or to "CLICK HERE..."  Some in our campus community have taken the bait and provided sensitive, personal material to unknown parties. Identity theft is a growing national issue. Phishing is one method for unscrupulous persons to gain access to personal or computer account information and launch either spam attacks or hacking attacks on others in the internet community. The account owner is usually not aware of this improper use. Explore examples of phishing scams targeting Binghamton University accounts.

ITS performed a spot check of outgoing e-mail and found that almost 100 people responded to one of these scams, which purported to be a request from the "Binghamton Technical Support Team" and threatened to cut off e-mail service unless the recipient responded with user ID, password and birth date. We notified those people that they responded to the scam and urged them to change the passwords on their accounts to strong passwords (8-character minimum with a mix of small letters, capitals, numbers and special characters). It is good practice to change your password frequently.

If you have doubts about requests to send sensitive information via e-mail or web page, DO NOT REPLY! Call the office or email the person/party responsible for the request and verify that the request is legitimate and that the data collected is handled securely during transit and at the recipient site. University offices must adhere to this high standard as well. Please consult the University policy on Internet privacy for details.

Stay Vigilant

Recognize that it's impossible to monitor every phishing scam that users may encounter. Reputable institutions, including the University, will never request personal or password information via unsolicited emails. Therefore, never respond to such requests, regardless of how legitimate they appear.

If you have doubts about the validity of a message, verify the contact information from verifiable sources, such as paper correspondence or the telephone book. Users should also report any suspicious messages to the ITS Help Desk (helpdesk@binghamton.edu or 607-777-6420) and/or security@binghamton.edu, as not all scams may be immediately apparent.

If you've fallen victim to a phishing scam, change your password promptly. Additionally, please report any suspicious emails or phishing scams at security@binghamton.edu and contact the Help Desk if you require further assistance.