One of the easiest ways to collect your personal information is to trick you into just handing it over, called phishing. Phishing attacks use 'spoofed' emails, fraudulent websites, and even phony customer service calls to fool you into giving out your personal information, such as credit card numbers, account usernames and passwords, social security numbers, etc. Phishing is a type of social engineering attack and is often coupled with other methods to gain information about a target.
- Never give out or enter sensitive or personal information unless you initiated the contact
- Look for obvious signs of phishing, but don’t rely on them
- Think before you click. If something sounds unusual, don’t click on it
- Find an official phone number or website to contact the legitimate company or person to follow up on the message
Look for obvious signs
Many phishing attempts will have obvious signs they are not legitimate, but others will have very little indication they are trying to steal your information until they ask for it.
Signs of phishing include:
- Asking for your personal information or taking you to a website that asks you to sign in or enter other personal information
- Urgent calls to action, often with serious consequences (e.g., “You must verify your information immediately or your account will be deleted.")
- Messages containing poor grammar and typos
- Messages coming from an unusual name or email address (e.g., a message may appear to come from “firstname.lastname@example.org)
- Website addreses that don’t make sense (e.g., a link takes you to “unlv.web.com” instead of “unlv.edu”)
- High-interest messages that provide little context as to what they are about (e.g., “I really thought you might enjoy this! mypix1545334.com”)
However, information can be mimicked, accounts can be compromised, and sophisticated attacks can look exactly the same as legitimate messages.
Examples of phishing messages targeted at UNLV users:
The only way to prevent your information from being compromised is to never provide your username, password, or other personal information to someone who asks you for it first.
Think before you click
Using common sense and being precautious can save you from most attacks. Consider these situations:
- You get an email from a cousin you haven’t heard from in three years with the message, “Check out my new photos!”
Think: Why would they be sending you something so unexpectedly and with so little explanation? They probably aren’t. Their email account is probably compromised with a virus.
- You see a Facebook post that “Well Known Company” is giving away $100 gift cards, you just have to visit wellknowncardgiveaway.freesites.com to sign up.
Think: Why would they use such an unusual web address instead of their official website wellknown.com? They wouldn't, and the site is more than likely fake.
- You get a phone call from someone claiming to be from your bank, stating that there has been a suspicious charge on your account and they need you to verify your name, address, and credit number or they will freeze the account.
Think: How do I know this is a legitimate call from my bank? Why do they need all that information? How else could I otherwise verify this call (e.g., sign in to their official website, contact the customer service number printed on the back of the card, etc.)? If they are your bank, they won’t mind you wanting to call them back at their official phone number.
What to do if you you’ve been phished
- If you receive a message you think might be attempting to phish you, do not follow the instructions. You will be providing important personal information to criminals.
- When you receive spam or phishing messages, click the "Report Spam" button in Gmail. This helps Gmail know to block the message and helps stop other people from receiving it. If you click the "Unsubscribe" link in spam emails, it may actually prove to the sender that the account is active and cause you to get more spam.
- Check one of the "antiphishing" pages below to see if it’s a known attempt.
- If the message came from someone you know or a company you do have an account with, call the person or company to verify its authenticity using a known, official phone number, not one in the phishing message, which can be fake as well.
- If your personal information has been compromised, change any compromised account passwords, contact any financial institutions, etc. You may want to consider contacting a credit agency to put a suspicious activity alert on your credit profile.
- If you believe your university information may have been compromised, contact the IT Help Desk immediately.
- If you received the message to your UNLVMail or Rebelmail, forward it to email@example.com so we can block it from our mail systems.