Skip to Content Skip to Footer
Goshen College
Join our new Connected Cause: The Campaign for Goshen College Learn more and give now

Avoid Phishing Scams

Phishing explained

Phishing scams are fraudulent messages that appear to come from legitimate sources (such as your employer, your internet service provider, your bank, social media, etc.). These messages usually direct you to a spoofed website or otherwise get you to divulge private information (for example, passphrase, credit card, or other account updates). The perpetrators then use this private information to commit identity theft, or worse.

Phishing scams are social engineering tools designed to create a sense of panic for the recipient. These scams attempt to trick recipients into responding or clicking immediately, by claiming they will lose something (for example, email, bank account. etc.). Such a claim is always indicative of a phishing scam.

Learn about the specific types of phishing.

Learn how to spot a phishing message.

Learn what to do if you’ve been phished.

Learn what to do if you have given away your email/username and password.

Tips to avoid job-related phishing scams.

 

Specific types of phishing

Phishing scams can vary widely in terms of their intended goal.

Email Phishing

Email phishing is the most common type of phishing, and it has been in use since the 1990s. Hackers send these emails to any email addresses they can obtain. The email usually informs you that there has been a compromise to your account and that you need to respond immediately by clicking on a provided link. These attacks are usually easy to spot as language in the email often contains spelling and/or grammatical errors.

Some emails are difficult to recognize as phishing attacks, especially when the language and grammar are more carefully crafted. Checking the email source and the link you are being directed to for suspicious language can give you clues as to whether the source is legitimate.  Learn how to identify a phishing email by watching this short video, or by viewing this slide presentation.

Spear phishing

Phishing attacks directed at specific individuals are referred to as “spear phishing”. Since these attacks are so pointed, attackers may go to great lengths to gather specific personal or institutional information in the hope of making the attack more believable and increasing the likelihood of its success.

The best defense against spear phishing is to carefully, securely discard printed information that could be used in such an attack. Further, be aware of data that may be relatively easily obtainable (for example, your title at work, your favorite places, or where you bank), and think before acting on seemingly random requests via email or phone. Be cautious about how much personal information you share on social media platforms.

Whaling

The term “whaling” is used to describe phishing attacks (usually spear phishing) directed specifically at executive officers or other high-profile targets within a business, government, or other organization.

Smishing

Smishing is an attack that uses text messaging or short message service (SMS) to execute the attack. A common smishing technique is to deliver a message to a cell phone through SMS that contains a clickable link or a return phone number.

A common example of a smishing attack is an SMS message that looks like it came from your banking institution. It tells you your account has been compromised and that you need to respond immediately. The attacker asks you to verify your bank account number, SSN, etc. Once the attacker receives the information, the attacker has control of your bank account.

Vishing

Vishing has the same purpose as other types of phishing attacks. The attackers are still after your sensitive personal or corporate information. This attack is accomplished through a phone call.

A common vishing attack includes a call from someone claiming to be a representative from Microsoft. This person informs you that they’ve detected a virus on your computer. You’re then asked to provide credit card details so the attacker can install an updated version of anti-virus software on your computer. The attacker now has your credit card information and you have likely installed malware on your computer.

The malware could contain anything from a banking Trojan to a bot (short for robot). The banking Trojan watches your online activity to steal more details from you – often your bank account information, including your password.

A bot is software designed to perform whatever tasks the hacker wants it to. It is controlled by command and control (C&C) to mine for bitcoins, send spam, or launch an attack as part of a distributed denial of service (DDoS) attack.

Search Engine Phishing

Search engine phishing, also known as SEO poisoning or SEO Trojans, is where hackers work to become the top hit on a search using a search engine. Clicking on their link displayed within the search engine directs you to the hacker’s website. From there, threat actors can steal your information when you interact with the site and/or enter sensitive data. Hacker sites can pose as any type of website, but the prime candidates are banks, money transfer, social media, and shopping sites.

 

Don’t take the bait – Learn how to spot a phishing message

When you receive an email message, please consider the following:

  • Are there red flags?
  • Does the message ask for any personal information (password, credit cards, SSN, etc)?
  • Does the message ask for sensitive information about others?
  • Does the message offer things such as work or internship opportunities?
  • Does the message ask for help with tutoring or training?
  • Does the message ask you to immediately open an attachment?
  • Hover your mouse over the links in the email. Does the hover-text link match what’s in the text?  Do the actual links look like a site with which you would normally do business?
  • When hovering over the link, does it look like the link belongs to the organization sending the message?  Remember, generally speaking, the organization’s official website should be the last part of the domain name, before any subdirectory “/”.
    In some cases where 3rd party software is involved, the last part will be the domain of the 3rd party.
  • If still in doubt, go to the company’s website to see if they have any references to the information contained in the email message.  In many cases, if there is a known phishing scam, companies will mention them on their websites.
  • Does the “From” email address look like either someone you know, a business you work with, or a proper Goshen College email address?
  • Does the From address that is displayed match the actual address that the message came from?  Most email programs/services allow you to click to expand the From address to see the actual address that the message is coming from.
  • Were you not expecting an email of this nature (e.g. password reset, account expiration, wire transfer, travel confirmation, package shipment, etc)?
  • Is the email from an entity / person with whom you do not do business?
  • Is it difficult to think of how the sender legitimately obtained your email address?

Learn how to identify a phishing email by watching this short video, or by viewing this slide presentation.

I think I’ve been phished! What should I do?

If you believe you are the recipient of a phishing email message, you can mark the message as spam. Students can mark email as phishing or spam by using the “Report Spam” option in their GC email.  Employees can refer to this document for instructions on how to report an email as phishing or spam.

I accidentally responded with my GC email/username and password. What do I do?

If you have given away your GC email/username and/or password, you will need to immediately change your GC password in MyGC. And then notify the ITS Help Desk at (574) 535-7700.

I accidentally responded with my bank or credit card information. What should I do?

If you provided any banking or other financial information, immediately contact your bank or financial institution to make them aware of the scam so that they can help you protect your account with them.

I accidentally responded with my personal account username and/or password. What should I do?

If you have given away your username and/or password of any personal accounts that you have, immediately sign into that account and change the password.

Additional Training

Would you like to receive in-depth training on how to recognize a phishing scam? Contact Patricia Goodman at helpdesk@goshen.edu to schedule a training session.

 

Students can be targets of sophisticated jobs scams. Scammers mine details from social networks and public online forums to craft believable narratives to lure students into falling for a job-related scam.

Here are some red flags to look out for: 

  1. Unsolicited Job Offers: Be skeptical of job offers that come out of the blue, especially if they do not come from a company’s official communication channels. 
  2. Requests for Personal Information: No legitimate job offer should require banking details or sensitive personal information upfront.
  3. High Initial Offers: A lucrative salary package for an entry-level position with little to no interview process can be a tell-tale sign of a scam.
  4. Pressure Tactics: Scammers often try to create a sense of urgency so that you’ll act quickly without thinking critically about the legitimacy of the job offer. 
  5. Vague Details: Watch out for job descriptions that are unusually vague or lacking in specific duties and requirements. 

Here are some recommendations to help you verify the legitimacy of a job offer: 

  1. Verify Sources: Confirm any named individuals actually made the referral. A quick email or phone call to your professor or the alleged referrer can ascertain the truth. 
  2. Protect Personal Information: Treat your personal details like the valuable commodities they are. Share them only when you’re certain of the legitimacy of the request.
  3. Research Employers: Before responding to job offers, perform thorough research. Visit company websites, check for verified contact details, and read reviews from reputable sources. 
  4. Trust Your Intuition: If anything feels off, it likely is. Trust your instincts and don’t be pressured into moving forward with suspicious job offers. 
  5. Use School Resources: Reach out to GC’s Career Networks department to get help with vetting potential job offers. https://www.goshen.edu/careers