Audience: All Franklin University users with University Office365 email accounts.
Disclaimer: The results and functionality of the following article only apply to the audience listed above.
For best practices, please see the following video (staff or faculty log-in required to view): Click Here
Phishing or Malicious Emails
Definition: Phishing is a fraudulent attempt to gather personal information such as passwords, identity information, or financial information. For recent examples: Click Here
Action Item 1. Determine if it is a phishing email using the section below entitled "How to Detect Phishing Emails or Malicious Emails." If the email is a phishing email, please follow the other 3 action items below.
- Remember, don't click on any links or enter any personal information unless you determine an email is completely legit. Use the criteria in sections of this article below to determine if the email is legit.
Action Item 2. Reset your password: If you have entered any personal information as a result of the email, or clicked on links in a malicious email, best practice is to promptly change your University password. Password credentials are the most common thing hackers are trying to access from you.
Action Item 3. Forward the email to the Help Desk as an attachment, so that we can investigate. If you have already forwarded a copy of the email, thank you for your prompt action!
Instructions to forward an email as an attachment: Start a new email to helpdesk@franklin.edu > drag the phishing email into the body of the new email > Send.
**There is an image at the bottom of this document showing the process**
Action Item 4. Mark the email as Junk:
How to Detect Phishing Emails or Malicious Emails
For recent examples: Click Here
- Banners: Faculty and Staff watch for banners that indicate if the email arrived from outside of the Franklin organization. Click Here for more information.
- Misspelling – Often the subject or the body of a phish will contain misspelled words.
- Sending Address – Many phishing emails will come from an address that looks official at a glance, but can be spotted with a little scrutiny. (e.g. Microsoft_billing@mail.media.co). Don't respond to emails that appear to be official, but come from un-official email addresses.
- Faculty and Staff: See the following link: Click Here
- Suspicious Links – You can always hover your mouse pointer over a link to see its destination address without clicking it. The URL will appear after “https://na02.safelinks.protection.outlook.com/?url=”
- Suspicious Attachments – An attachment is the most frequently used method to deliver a malicious payload. Always be suspicious of an attachment supposedly containing information that could easily have been in the body of the email. Verify the email came from a trustworthy source and that an attachment is expected before opening one.
- Urgency – Attackers employ methods to make you feel like action must be taken quickly. (e.g. “your account will be charged”, “your account will be locked”, “about to expire”).
- Greetings – Phishing emails often have generic greetings and signatures such as "Dear User" and "Sincerely, IT Helpdesk," etc.
- SMS and QR Codes – Be wary of anything that arrives unexpectedly by texts, or any type of messages with QR codes.
Please note that Franklin University will NEVER ask for your password through e-mail, so be wary of anything that says otherwise.
Detect Phishing Websites
- Check for slight misspellings - in the URL, company name, etc. For example, paypa1.com instead of paypal.com
- Check that you are on a legit website - Just because the word "Franklin" is in the web address doesn't mean that it is a legitimate website.
- Be wary of pop-ups - Some phishing sites may take you to a legitimate website, but then prompt you for your username and password.
- Use additional software - Many browsers have add-ons/extensions/plug-ins that can help detect phishing sites.
Best Practices
- Please note that Franklin University will NEVER ask for your password through e-mail, so be wary of anything that says otherwise.
- Don't use easily guessable passwords.
- Don't use the same password for all websites and applications.
- Don’t enter sensitive or personal information on unsolicited websites or popup windows.
- Go to links yourself, rather than clicking on links in emails
- Don't click anywhere in suspicious e-mails—even in what may appear to be white space. Moving an email to the Junk folder can expose links hidden within an email.
- Don’t open attachments in unexpected or suspicious e-mails or instant messages.
- Don’t send passwords, bank account numbers, or other private information in an email.
- Don't accept social media friend requests from people you don't know
- Don’t provide identity information, including credit card numbers, when you receive an unsolicited e-mail or phone call.
- Look for 'https://' and a lock icon in the address bar before entering any private information on a website
- Install and regularly update an anti-virus program that can scan email.
- If an email from a friend or colleague looks suspicious, call them and ask if the email is legitimate
- Faculty and Staff: See the following link: Click Here
- Call your financial institutions directly using the number found on the back of your credit/debit card or your monthly statement
- If a person is requesting for personal information from an unrecognized number, ask for a case number and then call back through the main number.
- Never use your University credentials (username/password) to login to other non-University websites
- Never respond to a request for your password sent by e-mail, even if the request appears legitimate.
- When in doubt about an email, contact the Help Desk.
Helpful Links:
http://www.phishing.org/what-is-phishing
https://www.microsoft.com/en-us/wdsi/threats/support-scams
https://www.consumer.ftc.gov/articles/0003-phishing