网络钓鱼信息

What to Do If You Believe You Have Fallen for a Phishing Attempt

If you suspect you have fallen for a phishing attempt by providing any University information or account credentials, 或者下载过可疑内容, 请与您的本地学术科技团队或IT服务台，电话 973-655-7971，选项1，或电邮至 itservicedesk@hebhgkq.com to report the incident and be provided with additional guidance.

If you provided any financial or personally-identifiable information such as bank account or social security number that could potentially be used for identity theft, 请与大学警察联系，电话 (973) 655-5222 or msupolice@hebhgkq.com 提交报告.

Please Note

If you used or provided your NetID username and password in response to a phishing scam, 立即更改您的NetID密码 NetID客户管理中心.

网络钓鱼是一种电子邮件, phone call, or text message based attack that is sent with the intention of deceiving the recipient into providing information.

Potential phishing emails are an information security concern, however, 只有当收件人通过以下方式对尝试做出反应时才会这样做:

1. 1. Providing any information or credentials via email reply or clicking on a link in the email and submitting information to a web page or form.
  2. Downloading and/or opening any attachments in the email or downloading any files resulting from clicking on a link in the email.

垃圾邮件是与广告有关的未经请求的电子邮件, 服务产品, 社会或政治原因, etc. SPAM will not typically ask you to provide any information or ask for your personal or account related information via a reply or upon clicking a link. SPAM can simply be deleted or you can mark the message as SPAM in Gmail or in your preferred messaging client. 虽然这可能很烦人, SPAM is not generally considered an information security concern and 不需要报告给IT服务台吗.

If you only opened (read) but did not otherwise interact with a potential phishing message as described above, the message 不需要报告给IT服务台吗. If you are using Gmail, you can report the message to Google:

1. 1. While viewing the message, click on the three vertical dots on the upper-right of the message.
  2. 点击“举报网络钓鱼”

If this does not automatically remove the email from your inbox, you may proceed to delete the email.

如果您确实与消息交互(例如.e. click links, open attachments, or provide information), please see the first section above, “What to Do If You Believe You Have Fallen for a Phishing Attempt“.

Suspicious sender’s address that may imitate a legitimate business
Generic greetings and signature and a lack of contact information in the signature block
Spoofed hyperlinks and websites that do not match the text when hovering over them
Misspelling, poor grammar or sentence structure, and inconsistent formatting
Suspicious attachments or requests to download and open an attachment

Spearphishing: Phishing targeted at an individual by including key information about them
Whaling: Phishing targeted at a high-profile individual to steal sensitive and high-value information
Vishing: Phishing via voice communication to entice the victim to engage in conversation and build trust
Smishing: Phishing via text messages to get the victim to click on a link, 下载档案及应用程式, 或者开始一段对话

注意网络钓鱼的常见迹象
- 检查显示名和电子邮件地址. Attackers often attempt to distract victims from the false email address (bob.jones@msu.com)通过包含真实的显示名称(Bob Jones).
  - Attackers use publicly accessible directory information to appear as someone of authority such as your manage or the university president.
- 常见的拼写和语法错误. Legitimate business and marketing brands take communication seriously and legitimate emails usually do not have a prevalence of spelling mistakes or poor grammar.
- 部门名称等虚假信息. If you never heard of the “Office of Student Registration”, it is likely because it doesn’t exist. 查一下校园目录.
- Requests to provide personal information or credentials via an email response or form. All central and distributed campus Information Technology resources are trained not to ask for a user’s personal credential information (i.e. 密码到你的NetID帐户)，你也不应该提供它. Ever.
不要相信电子邮件(或文本)中的链接
- Attackers often include embedded links in an attempt to redirect you to a malicious site. 该站点可能是一个表单，要求您输入信息, 创建帐户, 使用您的凭证登录, etc. 有很多不同的例子, however, 它们都是用来窃取你的重要信息的.
- Never trust embedded links (highlight text that appears as words and not a URL/site address) in an email or text message. 始终检查完整的URL，看看是否有可疑之处. 如果你不确定，不要打开/点击链接.
  - 查看嵌入链接的URL (Hover Over方法):
    - 从电脑上，将鼠标指针移动到链接上没有点击. The actual web address of the link should appear at the bottom of the browser window or in a pop-up.
    - 从移动设备 iOS (Apple)或Android操作系统, you can evaluate embedded links by pressing and holding the link down with your finger or stylus. 应该出现一个弹出对话框，然后放手. The dialog should show the full URL of the embedded link and other options.
- 更安全的方法 是手动输入一个已知的网站到你的浏览器. For example, 如果你收到一封声称来自你的银行的电子邮件, use your browser to type in the address of your bank directly instead of clicking the link.
不要相信附件
- If the attachment is unexpected or has a suspicious name or file extension, 发件人的帐户可能已被泄露. 在打开附件之前，请致电发件人验证附件.
Do not call phone numbers listed in emails from unfamiliar senders
- Reference a reliable source such as a billing statement or go directly to the company’s web site to obtain the number.
评估问候方式
- 问候语是否含糊不清，比如“尊贵的客户”?? Legitimate businesses that have your customer information will often use a more personal greeting with your first and last name.
注意语气
- Attackers typically attempt to create a sense of urgency to trick the recipient into thinking that they must take action immediately which also serves to distract you from assessing the legitimacy of the request.