What Phishing Is
A phishing attack happens when someone tries to trick you into sharing personal information online. Phishing is usually done through email, ads, or by sites that look similar to sites you already use. For example, someone who is phishing might send you an email that looks like it's from your bank so that you'll give them information about your bank account.
Phishing emails or sites might ask for:
- Usernames and passwords, including password changes
- Social Security numbers
- Bank account numbers
- PINs (Personal Identification Numbers)
- Credit card numbers
- Your mother’s maiden name
- Your birthday
Important: The SMCC IT HelpDesk will never ask you to provide this type of information in an email.
Avoid Phishing Attacks
Be careful anytime you get an email from a site asking for personal information. If you get this type of email:
- Don’t click any links or provide personal information.
- If the sender has an SMCC address, notify the IT HelpDesk by calling (207) 741-5696.
When you get an email that looks suspicious, here are a few things to check:
- Check that the email address and the sender name match.
- Hover over any links before you click on them. If the URL of the link doesn't match the description of the link, it might be leading you to a phishing site.
In general, if an email is creating a sense of urgency, like "your account will be deactivated" or "I need you to help me now", it's probably a scam. Don't respond to the email. Contact the sender through another medium or a trusted address/phone number and verify the email is for real - it probably is not. You can also report the email to the IT HelpDesk as we have additional tools that might help validate the message.
Here are some scams that we have seen recently:
- An offer to help the President of College with a research project. The email begins like this: "There is a Pressing need for Students as Remote Interns at the Office of the President. The office is looking to appoint a Research Assistant with strong communication and listening skills to join Joseph L. Cassidy on his research project. As part of the research project, there will be a weekly compensation of $350 for eligible students." This may be convincing because it uses the real name of our President. However, he isn't looking for research assistants. Another clue is that the email includes a personal Gmail address to contact for more information. We have also seen a version of this scam which references the payment as "remotely with a weekly pay of $Three Hundred and Fifty weekly" which is an unusual way to write a dollar amount.
- A similar advertisement that claims to be from the "Office of the Senior Research Assistant" that begins like this: "There is a Pressing Need for Students as Research Assistants at the Office of Administrative Aide, Southern Maine Community College. The Office will be accepting applications starting today 26th February, 2023". This email is very similar to the one from the "President" except it includes a cell phone number to text. The number really works and if you message it you will be communicating with the scammer. It goes without saying that you should not do this and if you have, you should let the IT HelpDesk know immediately.
- An email with the subject **PAYCHECK** that includes a check for you to print out and deposit. The email begins: "You are receiving this e-mail because your information has been registered and will be scheduled for weekly payments directly from the Payroll department. The Paycheck that covers the expenses for the office supplies you will be working with is attached in this email." The check looks real and if you took it to a bank, might even work. Don't do this! This is the first step in a scam to steal your money. SMCC doesn't send money like this - we use direct deposit. If we need to send you a real check, we'll print it ourselves and mail it to you.
Report Phishing Emails
If you identify that an email may be phishing or suspicious, follow the steps below to mark it as phishing. This will notify the IT HelpDesk and prompt an investigation into the email.
- Open the message.
- In the top right, click the three-dots icon, then click Report Phishing
Reporting messages as phishing also lets Gmail know and can help them prevent future attacks.
Additional Reading
The SANS Institute offers a range of informational articles and resources. Here are some from their newsletter covering common scams:
Spot and Stop Messaging Attacks: https://www.sans.org/newsletters/ouch/spot-and-stop-messaging-attacks/
Phishing Attacks Are Getting Trickier: https://www.sans.org/newsletters/ouch/phishing-attacks-getting-trickier/
Top Three Social Media Scams: https://www.sans.org/newsletters/ouch/top-three-social-media-scams/
Vishing - Phone Call Attacks and Scams: https://www.sans.org/newsletters/ouch/vishing/
How Cyber Attackers Trick You: https://www.sans.org/newsletters/ouch/emotional-triggers-how-cyber-attackers-trick-you/
Here are a couple articles from the Federal Trade Commission:
Recognize and Avoid Phishing Scams: https://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams
Spot and Avoid Fake Check Scams: https://consumer.ftc.gov/articles/how-spot-avoid-report-fake-check-scams
Report Fraud
You can help fight future scams by reporting fraud, or get help if you have been taken advantage of.
In all cases, even when you're not sure a message is fraudulent, you can report the message to the IT HelpDesk. We would always rather investigate and tell you a message is legitimate instead of having you lose access to your account, your personal information, or your money.
You may also report fraud to federal and local agencies:
In all cases, report fraud to the FTC: reportfraud.ftc.gov
If you lost personal information, report identity theft: https://www.identitytheft.gov/#/Info-Lost-or-Stolen
You may also file a complaint with your state Attorney General office: https://www.consumerresources.org/file-a-complaint/