Skip to the content

Kansas State University

Phishing and Spear Phishing

What you can do

  • Know that financial institutions will never send e-mail to ask for personal information or to enroll you in a new security feature.
  • DO NOT click on any links provided within the email and Do Not reply to the message.
  • Call the institution if you are unsure about the legitimacy of a communication that appears to be from them.
  • Use new versions of web browsers, like IE 7, Firefox 2.0, and Opera 9.1 that have some anti-phishing features that alert you before loading a suspicious website.
  • Train yourself to recognize a fraudulent e-mail by studying the websites listed below.

Phishing

Phishing scams use various social engineering and spoofing techniques to try to trick their victims into giving away personal information such as account usernames, passwords, credit card numbers, social security numbers, and home addresses.

Most of these emails look "official," as if they were sent from a trusted entity like a bank, or a retailer or another legitimate business. As a result, recipients often respond to them, which can result in financial losses, identity theft, or other fraudulent activity.

Phishing is a variation on the word fishing: fishers (and phishers) set out hooks, knowing that although most of their prey won't take the bait, they just might entice some to bite.

Spear Phishing

In addition to mass mailings, phishers have started using a more targeted method of phishing called "Spear Phishing." In a spear phishing attack, the only recipients of the email are known members the institution that the email is targeting. Universities are frequently targets of this type of attack because all of the email addresses end with a common "phrase," in our case: @k-state.edu.

Email addresses are acquired for Spear Phishing several ways:

  • The scammer could join a mailing list and use the "to:" field to create a list of targets
  • The scammer could buy a list from a hacker that has somehow infiltrated a system where the email addresses are stored
  • The scammer could simply guess a series of email addresses based on what is known about the general format of the address.
    (Many universities or businesses have a formula for creating an email address: "xyz123@UniverityX.edu" for instance.)

Resources

Organization/entity Web address
Anti-Phishing Working Group www.antiphishing.org
Looks Too Good To Be True www.lookstoogoodtobetrue.com
Internet Crime Complaint Center www.ic3.gov
National Fraud Information Center www.fraud.org
Federal Trade Commission's OnGuard Online onguardonline.gov/index.html
Urban legends and hoaxes www.snopes.com