Phishing
Phishing attempts come in many forms and are often made to look like requests from known vendors or associates. Most of these attempts have links that forward victims to nefarious websites in an effort to collect passwords and personal or confidential information; however, some may simply try to initiate a dialogue, which ultimately ends with them asking for unrecoverable items like gift cards or electronic transfers.
When people provide account information to cybercriminals, it negatively affects school business. For example, once an internet provider detects that an LBCC account is generating a substantial number of phishing emails, all outbound email is blocked. This means that external recipients, including students, no longer receive communication from the District.
Important Reminders:
- Never supply your login credentials (user ID and password) or personally identifiable information in response to an email or text.
- Never provide your password to anyone: not your coworker, not your boss, not even ITS. Administrative Procedure 3720 specifically prohibits the sharing of login credentials.
How to Report a Phishing Email
If you think you received a phishing email, you have two primary ways to report it:
- Use the Outlook Report Phishing button (preferred), or
- Forward the original email as an attachment to reportaphish@lbcc.edu.
Once you have reported the message, simply delete it.
Important: if you suspect that you have fallen victim to a phishing attempt or inadvertently provided your password to an unauthorized source, please follow the additional 2 steps:
- Reset your password immediately, and
- Call the ITS HelpDesk at x4357 and provide specific details of the event.
Furthermore, if you’ve fallen victim to an internet scam, you are encouraged by law enforcement agencies to report it.
Social Engineering and Phishing
In technology, the term social engineering is used to describe the use of deception to lure people into revealing personal and/ or confidential information with the intent of using that information for fraudulent purposes. Social engineering spans various modes of communication and is often used to target specific groups.
Phishing is a form of social engineering that uses email and often includes more focused schemes such as spear-phishing (appears to be from someone you know) and whaling (high-value targets such as executives). Other forms include vishing (over the phone) and smishing (via phone texts).
Indicators of a Phishing Attempt
Most phishing attempts include more than one of the following red flags:
- Strange or Unfamiliar Senders
If the “From” address looks odd, slightly misspelled, or does not match the company it claims to be from, it’s probably not legitimate. - Suspicious Links
Hover over links before you click on them. If the web address looks odd or does not match the message, do not open it. - Unexpected Attachments
Be leery of attachments, especially if the sender asks you to reset a password, view a document, or pressures you to make a quick decision. - Pressure or Threats
Many scams try to create a sense of urgency (“Your account will be closed!”). Legitimate organizations never use scare tactics to get you to respond. - Poor Spelling, Grammar, or Formatting Errors
Although typos, odd phrasing, or strange fonts are still red flags, modern scams have evolved and are more polished, so you still need to stay alert even if it looks professional. - Website Spoofing
Some phishing emails link to sites that copy the look of trusted brands (PayPal, Office 365, etc.). Instead of clicking the link, type the company’s official web address directly into your browser. - Unrealistic Promises or Offers
If an email promises rewards, refunds, or job offers that seem too good to be true, they probably are.
Examples of Phishing Attempts
Norton antivirus provides a few visual examples to help you identify phishing attempts. With that in mind, be aware that perpetrators have used the Long Beach City College logo against employees in an attempt to lure victims.
Phishing Decision Tree
Proofpoint, a leading cybersecurity company, has shared Practical Advice for Avoiding Phishing Emails in the form of a decision tree to help users verify unknown emails.
Videos on Phishing
Recognize and Report Phishing (1:01)
Courtesy of CISA
- Higher Education Information Security Council (HEISC): Information Security Awareness Video: “Phishing:E-Safe” (1:02)
- Federal Communications Commission (FCC): Spoofing, Scamming, and Crackdown on Unwanted Calls (0:58)
- Federal Trade Commission (FTC): Hang Up and Report Phone Fraud (3:07)
Common Types of Phishing Scams
Phishing is used to facilitate a variety of imposter scams. According to the Federal Trade Commission, victims are now losing billions of dollars each year to these types of scams.
- Gift Card Scams
- Fake Check Scams
- Phone Scams
- Sextortion
- Tax Scams
- Tech Scams
- Other Common Scams
Online Phishing Quizzes
Test your newly acquired skills by taking one or more of the following:
- Cisco OneDNS’s Phishing Quiz.
- Phishing Quiz with Google.
- SonicWall’s Phishing IQ Quiz.
Additional Resources
- Infographic: Phishing, Don’t Take the Bait.
- Cheat Sheet: Social Engineering Red Flags
- How to Recognize and Avoid Phishing Scams
If You See Something, Say Something
Cybersecurity is a shared responsibility. Please report any suspicious activity or unauthorized access to computers, software, and websites to the Office of Information Security.
If you need to report a potential crime or similar non-emergency situation, please refer to the Police & Campus Safety website.
Protect your password
Important: Administrative Procedure 3720 specifically prohibits the sharing of login credentials, so you must never provide your password to anyone: not your coworker, not your boss, not even ITS.
Don’t be a victim of phishing!
Whether you are working from the office or remotely, please maintain your cyber vigilance by:
- Recognizing and reporting Phishing Attempts and Common Types of Scams,
- Protecting yourself from Ransomware,
- Reviewing Password and Passphrase Best Practices, and
- Implementing Cybersecurity Best Practices When Working Remotely.