What is phishing and how do I protect myself from email scams?

Phishing is a malicious attack using social engineering to steal private information from a user. This illegal activity is usually attempted through email and its goal is to obtain a user's account information and/or password.

The best protection from phishing is education. Phishing attempts are getting more sophisticated as they trick more users into believing that it is a legit request from a company to retrieve needed information. There are some common things to look for so you can protect yourself.

1. Bad grammar – Many phishing attempts come from attackers in non-English speaking countries so the email may contain bad grammar and misspellings.
   
2. Request sensitive information – The main goal of phishing attempts is to retrieve sensitive information from a user. These emails will either ask you to reply with your account information (credit card #, bank account #, passwords, etc...) or direct you to a website where it will request your information. Coastal will never ask you for your password or tell you overthe email to renew your account information.
   
3. False links to websites – Many phishing attempts will direct a user to a false company website to con them into entering private information. Links often look like they are directing you to a legit site, but they are actually sending you to a false site. One-way to determine a link to a false website is by placing your mouse over the link without clicking a button. With the mouse over the link, you should see the actual link that it points to.

Here are two false links:

When you place the mouse over the link, the actual link is visible below. In this case, the actual link is an IP address (192.168.0.100). It is typical behavior for a phishing email to link to an IP address.

In this case the link below tries to look like Coastal's real homepage (http://www.coastalfcu.org), but substitutes other characters to create http://co@stalfcu.org.

What is vishing and how do I protect myself from these scams?

Vishing is another malicious attempt based on social engineering, only this time instead of contact through email, the attacker uses the telephone. This threat is only recently becoming popular, but it is quickly gaining speed as more users are able to detect email phishing attempts.

Vishing is usually attempted in one of two ways:

1. An attacker who pretends to be an employee of a company will ask a user for their account information and/or password. Caller ID boxes can easily be fooled into showing the name and number of anything an attacker wants the user to see.
   
2. An attacker sets up an automated message which asks you to either speak or key in your account information and/or password.
   If you ever receive a call from someone claiming to work at Coastal who needs your password and/or account information, hang up immediately and call Coastal to report the issue.

This information is brought to you by Coastal's Information Security Group.