How to avoid getting reeled in during phishing season

Take safeguards to avoid falling prey to phishing
email scams.

Last month the Oak Ridge National Laboratory, ORNL, experienced a major attack on its computing systems. A phishing email was sent and a few employees clicked on the attachment, which caused malware to be installed on their machines and spread to other systems at the laboratory. This attack caused ORNL’s Internet service and email to be down for roughly two to three days. Cleaning up the damage required ORNL staff and a team of experts from other laboratories and organizations.

An event like this is a cautionary tale, hopefully reminding all email users of the importance of remaining vigilant about suspicious email. Take a few minutes now to review the characteristics of a phishing email and the steps you can take to avoid falling prey to an attack.

What you can do:

  • Don’t read your email in HTML mode. Read in plain text mode and turn on HTML only when necessary or for messages you expect, such as Fermilab Today. This also allows you to see the true URLs before you make a decision whether to click on them.
  • Don’t send email in HTML mode unless necessary.
  • Don’t trust email just because it appears to come from someone you know, it’s easy to fake the “From” address.
  • Examine the return address for consistency with the message: A message about your health benefits should come from an address at Fermilab. If it comes from some other domain, be suspicious.
  • Never, ever, ever send your password to anyone.
  • Watch out for “spear phishing” emails. These emails appear to be sent from known contacts, and include contents you are expecting. For example, fake quarterly reports from financial institutions are sent at the same time you expect the real report.
  • Be aware of phishing associated with events in the public news. For example, fake requests for money to help victims of the earthquake in Japan were sent during first few weeks of that disaster.

— Mark Leininger, computer security manager