To: All Users
Phishing is a form of social engineering attack where a phisher masquerades as a legitimate entity to solicit personal and sensitive information or infect a user’s machine with malware.
Common Types of Phishing:
- Deceptive Phishing: phishers craft messages that look almost identical to those of legitimate companies or reputable sources to lure individuals in providing sensitive data.
- Pharming: hackers will modify system files of a hacked computer, and makes web browsers to redirect a user’s web access from a legitimate website to a fraudulent website for the purpose of stealing user’s login credentials or sensitive data.
- Fraud applications: fake mobile apps impersonate trusted brands, compromise mobile devices with malware designed to steal confidential data. By replicating the appearance and functionality of legitimate apps, they trick users to install malicious content.
- Wi-Fi Phishing: attempts to steal sensitive data by convincing wireless network users to connect their mobile devices to the malicious Wi-Fi access point (AP).
- Quick Response (QR) Code Phishing: take advantages of the implicit trust of users to perform thoughtless action in scanning the QR codes so as to carry out malicious actions on mobile devices.
- Social Media Phishing: encompass online scams based on implied trust of social media channels like Facebook, WeChat, etc. to trick users to provide login credentials or sensitive data by impersonation, romance scams, fake event invitations, etc.
Common Characteristics of Phishing:
- It may use a similar website address as that of the legitimate website.
- It may use genuine looking contents, containing actual links to web contents of the legitimate website, or even cloning a legitimate website to entice visitors in entering their sensitive information.
- It may contain Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) that can redirect visitors to malicious website once they passed the CAPTCHA test.
- It may be in the form of pop-up window that shows in the foreground together with the genuine web page in the background for the purpose of obfuscating the visitors who think they are visiting a legitimate website.
Respond to Phishing Attacks
- Delete the phishing message immediately to prevent users from accessing the malicious contents again.
- Reset users’ login credentials (e.g. login password) if user accounts are supposedly compromised.
- Take the infected devices offline and perform a complete scan of the devices concerned to verify if malware has been downloaded.
- Report to appropriate parties (e.g. IT administrators, Police Force) immediately, report the details of phishing attacks and take appropriate actions (e.g. change the password immediately, update the system to the latest version, etc.).
Reference
· Beware of Phishing Email!
· How to protect your computer against viruses and malware?
· Don’t Let a Phishing Scam Reel You In
· How to download and install software in a secure manner?
· Are you ready to prevent Ransomware?
· Basic Knowledge of Online Safety and Security
· Other Information Security Tips
Should you have any enquiries, please feel free to contact ICTO Help Desk.
ICTO Help Desk
Location : Room 2085, 2/F, Central Teaching Building (E5), eMap
Telephone : 8822 8600
email : icto.helpdesk@um.edu.mo
Information and Communication Technology Office
|