Email & Web Security - Phishing Awareness

How to be aware of scams in email and online and protect yourself and your data.

Awareness

The first step to protect yourself when using email is to realize that email is an open medium – anyone can send you emails. Also, it is fairly easy for someone to change the name that appears as the sender of an email and make it look like the email is coming from someone you trust. When that happens, it's called "spoofing" an email address. Another way that hackers can try to trick you into believing an email is legitimate is to first hack the account of someone you trust, and then use that account to send you fake emails. In both of these cases, it pays to always have a safely skeptical attitude when going through your inbox.

What is "phishing"?

Phishing is the term used to describe hackers trying to steal your login credentials or other information by sending you fake emails.

"Spear phishing" is a term for phishing that is targeted specifically at you or an organization that you are a part of. With spear phishing, hackers may study you, your colleagues, and the way your organization operates and then try to mimic what you are used to in order to trick you. For example, they may send you an email that looks like it is coming from one of your colleagues or the president of your organization. They may also build fake websites that look like the ones you are used in order to try to get you to sign into those fake websites.

Things you can do

  • Be aware that email is an open medium just like the web
  • Be skeptical of incoming messages, even if they look like they are coming from people you trust
  • Use the tools below to check the authenticity of emails and websites
  • Be wary of attachments and links, especially if they prompt you to sign in to websites or provide credentials to open them. Always navigate directly to websites instead of clicking links in emails.
  • Contact a colleague or the Information & Technology Services department for help

Note: Curious about how to pick good passwords and manage them? Read our Ten Tips for Being Safe Online.

Actions

Checking the authenticity of emails

Gmail provides tools for verifying the details of email messages. The easiest of these to use is the drop down arrow next to the sender. Click on it to reveal details. As you can see below, one quick test is to see if the email address of the sender is actually the real address you would expect.

An obviously fake ("spoofed") Dominican email

Let's assume Jane Smith is an authority figure at Dominican. If you received the email below, you could check to see if jane.smith@dominican.edu really sent it. In this case, the email address doesn't look like a Dominican address at all. This is just one way to test the authenticity of an email. Remember that if Jane Smith's email account was hacked, even this check wouldn't be full-proof. But it's a great way to uncover obviously "spoofed" emails.

A fake email example

A Dominican email that is more likely to be legitimate

In the case below, we can see three things:

  1. The email address looks like a real Dominican email address (good!)
  2. The email was sent by dominican.edu (good!)
  3. The email was signed by dominican.edu (good!)

A normal email

Checking the authenticity of websites

As mentioned above, it is best to navigate directly to websites, and not click on links in emails. But how can you tell if a website is legitimate? Look at the address in the top address bar in your browser and learn how to read the path. Details are below.

Examples of non-legitimate Dominican or Google websites

The examples below are NOT Dominican websites. You can tell because the "domain name" (the part that starts the address path right after HTTP or HTTPS is not (something).dominican.edu. Instead it is some other domain, followed by information that is made to look like dominican in some way. Examples:

Not Legitimate! bad DU urls

Example of a non-legitimate Google website:

Not Legitimate! Bad google site

Note: Dominican business is not always limited to only Dominican or Google websites. Sometimes, we may use other company's services. However, in those cases, you should be aware of those services as being delivered via legitimate companies and web addresses (URLs). Understanding how to read a website address will help you figure out whether a website is providing a legitimate service for the university or not.

Examples of legitimate Dominican or Google websites

Real Dominican websites will start with dominican.edu or (something).dominican.edu right after HTTP or HTTPS. Below are examples:

good DU sites

Similarly, a real Google website will start with google.com or (something).google.com:

good google site

If you have any questions about how to read website addresses, please feel free to reach out to the Information & Technology Services department for assistance. Also, don't forget to read our brief Ten Tips for Being Safe Online.