Phishing

Phishing - /'fiSHiNG/ - Phishing is an attempt by malicious actors pretending to be a legitimate enterprise for the purpose of stealing private information, such as Username and Passwords, Social Security Numbers (SSN), Date of Birth, and Banking information.

LSU IT Security & Policy (ITSP) is dedicated to improving the security posture of the university in addition to helping our community members learn how to improve their own security. ITSP reviews phishing messages received by LSU Community to implement preventive security measures for our Campus network and our email services. Additionally, LSU has implemented a phishing awareness program to educate our user community regarding types of phishing messages.

LSU does not terminate Office 365 accounts for users that have accounts at multiple institutions. If you receive a message threatening to terminate your account due to having accounts at other Universities, do not interact with the message, sender, or any forms provided; instead, please report the message to the LSU IT Service desk or via the Report Phishing tool in Outlook.

Remember, LSU will never:

  • Ask you for your password over phone, text, or through a form submission for your LSU account or any other account
  • Ask you to approve a log in through a phone call or your Microsoft Authenticator app for a sign on you are not attempting
  • Request your name, date of birth, LSU ID or Social Security number, or password reset question information over phone or text
  • Ask for payment through PayPal or Zelle to retain your account

Providing your password or MFA verification to another via a form, text message, or phone call puts your account at risk of compromise; this may lead to your account being temporarily suspended in the event your account is used to send malicious messages or exhibits other suspicious activity.

If you have any questions or need assistance with your account, please contact the LSU IT Service Desk instead of responding to unsolicited messages by:

  • Visiting us in the Frey Computing Services Center
  • Sending an email to itservice@lsu.edu
  • Submitting a request through the ITS Self Service portal at itservice.lsu.edu
  • Calling the IT Service Desk at 225-578-3375
  • Report Phishing messages through Outlook

ITSP’s comprehensive phishing awareness program seeks to educate our users to recognize malicious content by running regular phishing simulations. At the completion of each simulated phishing campaign, ITSP will choose two reporters to win an LSU bundle. One student and one employee will be chosen at random from each month’s reporters.

You must report the phish using the Cofense Reporter button in Outlook or Outlook Web for a chance to win. Winners will be notified by a member of ITSP via email the week following the conclusion of each campaign. For details on how to report phishing, please refer to the "Report Suspicious E-mails" section below.

ITSP has implemented a phishing reporting tool called Cofense Reporter. The application conveniently integrates directly with Outlook mail clients and Office365, providing LSU users a quick and easy mechanism to report phishing e-mails.

  • Use Cofense Reporter to report a phishing e-mail to LSU ITSP. This method will be the only one utilized to identify winners for the Phishing Awareness Program
  • If Cofense Reporter is not an available option for you, please report phishing messages to LSU ITSP.

Here are three quick steps you can take to identify phishing emails:

  1. Check the sender: Check the domain of the sender's address. Phishing emails will often come from unfamiliar domains.
  2. Check the body: Phishing emails often try to create a sense of fear and urgency in subject lines, hoping users will comply. Grammatical errors are common as well as random use of capitalization. 
  3. Check the destination: Always review links prior to clicking, and in the event the link has been clicked, please review the destination website for confirmation that the URL is accurate and valid. When possible, opt to go directly to a site through your browser instead of clicking in a link.

Phishing attacks are not isolated to emails.  Get familiar with these terms:

  • Smishing: fraudulent text messages 
  • Vishing: fraudulent phone calls from scammers impersonating legitimate businesses 

To protect yourself from smishing and vishing:

  • Be suspicious of all unknown callers and unexpected text messages.
  • Don't inherently trust caller ID. Phone numbers can be spoofed, i.e. the number on caller ID may not be the actual number calling you.
  • If you are unsure about a caller, ask lots of questions. If a caller is asking for personal information or wants you to purchase something, ask for company information and inform them that you will call back. You can search for the company and their customer support number to call back and confirm. 

Attackers take information from publicly available listings like staff directories or membership lists from groups or organizations to impersonate someone to their peers and other contacts by creating new accounts with free email providers that use an individual's name, department, or title in the email address or their display name.

The attackers use these addresses to send messages to the impersonated user’s contacts with a sense of urgency while claiming the impersonated user can't be reached any other way, or they may request the victim’s phone number so that they can continue the scam over text message.

If a potential victim responds, the attacker requests the victim to purchase gift cards in varying denominations with their personal funds. The attacker will request that the victim send images of the gift cards so that they may redeem them.

Here are a few tips to avoid getting scammed by impersonations:

  • Check the sender's email address. Is this a legitimate email address for the user?
  • Watch for warnings in the message like "you don't often get email from this address" or mismatches between the email address, display name, and email signature.
  • Validate requests through a separate channel. For example, contact the user making the request directly via phone, in-person, or a known-good address to validate the request before making any purchases or following any instructions in the email.
  • Check with your coworkers or peers to determine if they received a similar suspicious message.
  • Carefully evaluate the context of the message. Watch out for messages that attempt to manipulate you into action using a false sense of urgency.
  • Report all suspicious emails using Cofense Reporter.

 

If you believe you have fallen for a phish, please take the following actions:

  • If you accidentally shared your username and password, please change your password immediately. Note: The new password must be unique and should not have been used anywhere else. If you use the same password for different services, you must change passwords for other services as well.
  • If you shared your banking (credit card, debit card, bank account, etc.) information, please reach out to your financial institutions.
  • If you shared any other personally identifiable information (Social Security Numbers, Date of Birth, etc.), you should take necessary steps to monitor your credit for any unauthorized changes. View our information on Identity Theft  for details on how to freeze your credit.