Skip to the content

Kansas State University

Phishing and Spear Phishing

The practice of sending out fake email messages that look as if they come from a trusted person or institution, usually a bank, in order to trick people into handing over confidential information. The emails often direct you to a website that looks like that of the real financial institution. But it is a fake and has been rigged to collect your personal information, such as passwords, credit card numbers and bank account numbers, and transmit them to the Bad Guys.

What you can do

  • Know that financial institutions will never send email to ask for personal information or to enroll you in a new security feature.
  • Do not click on any links provided within the email and Do Not reply to the message.
  • Call the institution if you are unsure about the legitimacy of a communication that appears to be from them.
  • Use new versions of web browsers, like IE 9, Firefox 9.01, and Opera 11.6 that have some anti-phishing features that alert you before loading a suspicious website. When given a warning take it seriously. Don't ignore it.
  • Train yourself to recognize a fraudulent email by studying the websites listed below.

Why it works

Phishing scams use various social engineering and spoofing techniques to try to trick their victims into giving away personal information such as account usernames, passwords, credit card numbers, social security numbers, and home addresses.

Most of these emails look "official," as if they were sent from a trusted entity like a bank, or a retailer or another legitimate business. As a result, recipients often respond to them, which can result in financial losses, identity theft, or other fraudulent activity.

Phishing is a variation on the word fishing; fishers (and phishers) set out hooks, knowing that although most won't take the bait, someone just might.

Spear Phishing

In addition to mass mailings, phishers have started using a more targeted method of phishing called "Spear Phishing." In a spear phishing attack, the only recipients of the email are known members of the institution that the email is targeting. Universities are frequently targets of this type of attack because all of the email addresses end with a common "phrase," in our case: @k-state.edu.

Email addresses are acquired for Spear Phishing in several ways:

  • The scammer could join a mailing list and use the "to:" field to create a list of targets.
  • The scammer could buy a list from a hacker that has somehow infiltrated a system where the email addresses are stored.
  • The scammer could simply guess a series of email addresses based on what is known about the general format of the address. (Many universities or businesses have a formula for creating an email address: "xyz123@UniversityX.edu" for instance.)

Resources

Organization/entity Web address
Anti-Phishing Working Group www.antiphishing.org
Looks Too Good To Be True www.lookstoogoodtobetrue.com
Internet Crime Complaint Center www.ic3.gov
Federal Trade Commission's OnGuard Online onguardonline.gov
Urban legends and hoaxes www.snopes.com