Trang chủ‎ > ‎IT‎ > ‎Data Mining‎ > ‎Cyber Security‎ > ‎


Why Care?

97%of users cannot identify sophisticated phishing emails

#1Email is the top way malware is delivered

$1.6MIs the average amount lost in a successful spear phishing attempt

Phishing's widespread effect

Successful phishing scams can have a devastating impact. Even phishing attacks that target an organization or company affect the individuals who work for that organization, or customers and partners of that organization.

Take these headline-grabbing stories from recent years, for example:

Emails disguised as Google Docs invites used to get login detailsMillions were affected when phishers sent fake emails with a link that took users to a malicious app designed to steal account details. Read more on this story from WIRED >>

Chipotle staff received phishing emails with malware targeting credit cardsCyber-criminals sent emails to employees containing malware used to obtain credit card data of restaurant goers. Read more on this story from >>

Scam targeted users during U.S. tax season requiring personal informationPhishing attacks targeting W-2s in 2017 are estimated to have compromised more than 120,000 people at 100 organizations. Read more on these attacks on the website >> 

These are JUST A FEW of the many attacks that have compromised companies and everyday users.

Still, it can be hard to connect the facts to our own day-to-day lives, until a phishing attack directly affects us.

Phishing & you

To understand why we should devote the time to protect ourselves, we need to understand what could happen if we fall victim—and why it can be easy to get tricked if we aren't vigilant. 

Explore scenarios

Imagine how a phishing scam could affect your life.

Practice your response >>

How to avoid falling prey

Everyone can learn to employ routine habits to avoid falling prey to email scammers. Get help with quick steps you can use and expand your knowledge with the available training and support at IU.

View more tips & strategies >>


Email & Phishing Scams

Don't take the bait

If you have an email account, you’ve almost certainly been on the receiving end of attempts to con you into giving up information, buying into a scam, or clicking on malicious links or files.

These emails can take the form of too-good-to-be-true schemes (business/investment opportunities, cure-all or weight-loss products, or lotteries/prizes), crisis alerts (either someone seeking help or indicating you are at risk), or “phishing” for account/personal details by impersonating a trusted institution.

These attempts have become increasingly sophisticated. Scammers can create convincing emails that appear to come from trusted sources, including your bank and even universities like IU.

Following the guidelines below will dramatically reduce the risk of falling victim to email and phishing scams.

Report email and phishing scams

Email or click for the incident reporting form

How to spot a phishing message?

When you receive an email message, please consider these points:

  • Are there red flags?
    • Does the message ask for any personal information (password, credit cards, SSN, etc)?
    • Does the message ask for sensitive information about others?
    • Does the message ask you to immediately open an attachment?
    • Hover your mouse over the links in the email. Does the hover-text link match what's in the text?  Do the actual links look like a site with which you would normally do business?
    • When hovering over the link, does it look like the link belongs to the organization sending the message?  Remember, generally speaking, the organization’s official website should be the last part of the domain name, before any subdirectory “/” (e.g.,, In some cases where 3rd party software is involved, the last part will be the domain of the 3rd party (e.g.,, which is used for webpages in Canvas).
    • If still in doubt, go to the company’s website to see if they have any references to the information contained in the email message.  In many cases, if there is a known phishing scam, companies will mention them on their websites.
    • Does the "From" email address look like either someone you know, a business you work with, or a proper IU email account?
    • Click 'Reply' - Does the address in the 'To' field match the sender of the message?
    • Bulk commercial solicitation: Are there lots of recipients to whom the email is addressed? IU policy prohibits bulk commercial solicitations unless approved by the Office of Procurement.
  • Is there a lack of positive indicators?
    • Is the message missing a digital signature/certificate
    • If it’s from an IU communication campaign or mass email, is it missing a security footer?
    • Were you not expecting an email of this nature (e.g. password reset, account expiration, wire transfer, travel confirmation, etc)? 
    • Is the email from an entity / person with whom you do not do business?
    • Is it difficult to think of how the sender legitimately obtained your email address?

If you're not sure about the legitimacy of an email message and it targets IU (e.g., asks for those using IU Exchange to "verify their accounts", includes a malicious PDF directed to university human resources, or impersonates IU or UITS), please report it to us and we'll gladly take a look. 

The trusted security footer in IU emails

You will notice that emails from official IU sources have a security footer at the end of the message. This footer includes your name and IU email address. We include this in our emails to help you distinguish between legitimate emails and phishing emails.

Phishing emails look sophisticated and can be hard to separate from authentic messages. These emails typically impersonate a trusted institution and seek out account or personal details, such as username, password or even credit card information.

Learn more about identifying phishing emails and what to do if you think you've been phished.

If you receive an email impersonating Indiana University, please forward the entire email (with full headers) to (The PhishMe Reporter makes it easy.)

DOs and DON'Ts to protect against email and phishing scams

DON'T send passwords or any sensitive information over email

No legitimate business or organization will ask you to send your password, account information, social security number, or other sensitive data over email. NEVER respond to an email requesting personal, financial, or other protected information, even if it appears to be from IU, your bank, or another trusted institution.

Instead, directly contact the institution that the email appears to be coming from, using the numberlisted on your credit card or bank statement (or equivalent document, such as your cell phone bill if theemail claims to be from your mobile provider). If the email appears to be from IU, forward it to, being sure to include full email headers.

DON'T click on "verify your account" or "login" links in any email

Always open a new window and use the institution’s official home page to log into any account.

Links in an email may appear to go to the trusted site, but actually redirect to a page that steals your login information.

DON'T reply to, click on links, or open attachments in spam or suspicious email

Clicking through or replying to spam can verify your email address and encourage more such attempts in the future. Send spam straight to the trash or report it to the FTC at NEVER open attachments from senders you don’t know.

DON'T call the number in an unsolicited email or give sensitive data to a caller

The risks associated with email phishing apply equally to phone calls. By using Voice over Internet Protocol technology, scammers can disguise their true phone number just like they can disguise their email or web address, so don’t assume that a familiar area code or prefix is safe to call.

Phone phishing can be even harder to detect than email phishing. Callers may impersonate institutional personnel, employees (or students) needing your assistance, or even police officers. Never give sensitive information to a caller you don’t know personally. If the need is legitimate, you will be able to call the person back using trusted numbers or email addresses you look up on the official institutional website.

DO report impersonated or suspect email

If you receive an email asking for personal, login or financial account information and appearing to be from IU, your bank, or another trusted institution, forward the email to the FTC at Also forward the email to the organization being impersonated. (Most organizations have information on their websites about where to report problems. You might start by searching on the website for “fraud protection” or “spam” to find the correct email address.) If the suspicious email looks like it came from IU, forward it to, being sure to include full email headers.

You also may report phishing email to The Anti-Phishing Working Group is a consortium of ISPs, security vendors, financial institutions and law enforcement agencies that is building a database of common scams to which people can refer. 

DO be cautious about opening attachments, even from trusted senders

Email accounts can be hacked or impersonated by scammers and files and attachments that have been infected with viruses and malware can be embedded in your account or email. If opened, these can access your data and/or harm your computer. Be wary of opening unsolicited attachments or downloading materials from an email, even if they appear to come from someone you know. If there is any doubt about the legitimacy of the message, consider whether the value of the attachment is worth potentially endangering university resources and/or personal data. (i.e. is a $5 food truck coupon really worth it?)

Seek alternate ways of getting the information (coupon, white paper, etc.) claimed to be attached. 

  • Try obtaining the information from the sender's / business' official website. 
  • To reduce the use of attachments, IU uses Box to share files; choose this system over email attachments to improve security.

If you cannot find the information in the attachment elsewhere, examine the file extension on the attachment before opening it. If the extension is among the extensions listed below, it is more likely to be malicious. (This list is non-exhaustive.

  • .exe
  • .msi, .bat, .com, .cmd, .hta, .scr, .pif, .reg, .js, .vbs, .wsf, .cpl, .jar
  • .docm, .xlsm, .pptm (may contain macros).
  • .rar, .zip, .7z

Caution: no file types are safe 100% safe - especially if your operating system or any of your programs / apps have not been adequately patched. Consider verifying the legitimacy of the email and attachment with the sender before opening it. 

DO install anti-virus and firewall programs

Anti-virus software and a firewall can protect you from inadvertently accepting malicious files.

Anti-virus software scans incoming communications and files for malicious content. Look for anti-virus software that updates automatically and can perform real-time protection.

A firewall helps make you invisible on the Internet and blocks all communications from unauthorized sources. It's especially important to run a firewall if you have a broadband connection.

IU provides free anti-virus software through IUware under the Security category. Learn more about firewalls on the Knowledge Base.

DO check financial statements and credit reports regularly

Read your monthly bank account and credit card statements to be sure all charges are authorized, and request free annual credit reports to be sure there are no unauthorized accounts open in your name.

DO restrict who can send mail to e-mail distribution lists

Recent phishing campaigns have targeted IU’s Microsoft Exchange distribution lists. To stave off scammers, UITS security experts recommend administrators of email distribution lists consider whether their lists should be “open” (all recipients can send messages) or “closed” (only members are allowed to send messages).

“Closed” groups are more secure and work best when:

    • The list mostly contains internal messages for members
    • Outside users don’t have frequent reasons to contact the list
    • There isn’t a significant need for the list to be set as open

Additionally, UITS security experts also recommend that administrators of email distribution lists consider using IU List as an alternative to Microsoft Exchange or ADS distribution lists.

If you have questions about how to effectively manage your email distribution list, please contact your department’s IT Pro or your campus Support Center.

Other tips
  • Do protect your personal information. Share credit card or other personal information only when you're buying from a company you know and trust.
  • Do know who you're dealing with. Don't do business with any company that won't provide its name, street address, and telephone number.
  • Do take your time. Resist any urge to "act now" despite the offer and the terms. Once you turn over your money, you may never get it back.
  • Do read the small print. Get all promises in writing and review them carefully before you make a payment or sign a contract.
  • Don’t pay for a "free" gift. Disregard any offer that asks you to pay for a gift or prize. If it's free or a gift, you shouldn't have to pay for it. Free means free.

Help, I think I've been phished! What do I do?

If you believe you've been scammed, file your complaint with the FTC, and then visit the FTC's Identity Theft website at Victims of phishing can become victims of identity theft.

Follow the guide below for specific steps to take according to the type of information you shared:

I accidentally email/username & password/passphrase.

You should... Change your password/passphrase immediately! For your IU network ID, visit: At IU, how do I change my Network ID passphrase?

If you're using a free provider (Gmail, Hotmail, etc) and you find an increasingly and uncontrollable amount of spam, you may wish to change your email address as well. Unfortunately, IU is unable to change your Network ID/email address for spam-reduction purposes.

I accidentally sent...personal information such as: address, bank/financial account number, credit card number or information, answers to security questions, other personal information that can be changed, driver's license/license plate.

You should... While there's no way to "unsend" the email, many of these pieces of information are changeable (especially credit card numbers). Contact the appropriate organization or financial institution. You should also report this as identity theft and take action to protect your accounts.

Please note: the theft of a credit card (or credit card number) alone does not constitute identity theft (as determined by the FTC). You should, however, promptly call the financial institution and have the number changed. You can also work out any erroneous charges on your account.

Also, technically, yes — your address is changeable, if you move. However, consider that only as a last resort; most identity thieves attempt to collect thousands (even millions) of individuals' information during phishing scams; they're likely not singling you out as a target. If you feel your personal safety threatened, contact your local police department.

I accidentally sent...personal information that isn't changeable -- such as: Social Security number, mother's maiden name, date &/or city of birth, health/medical information.

You should... Unfortunately, there's not much you can do about this except defend yourself (electronically). Visit these pages about reporting identity theft and taking action to protect yourself. Being proactive and staying alert/aware of your credit is your best defense.

I accidentally sent...Indiana University institutional data -- or data about others to which I have access.

You should... Contact the administrative office immediately to report the incident.


Avoid phishing scams

To learn how to spot fake email messages and social engineering scams, visit Phishing Education & Training . For online courses on phishing and email security, see Email Security Fundamentals .

On this page:

Phishing explained

Phishing scams are typically fraudulent email messages appearing to come from legitimate enterprises (for example, your university, your internet service provider, your bank). These messages usually direct you to a spoofed website or otherwise get you to divulge private information (for example, passphrase, credit card, or other account updates). The perpetrators then use this private information to commit identity theft.

One type of phishing attempt is an email message stating that you are receiving it due to fraudulent activity on your account, and asking you to "click here" to verify your information. See an example below.

Phishing scams are crude social engineering tools designed to induce panic in the reader. These scams attempt to trick recipients into responding or clicking immediately, by claiming they will lose something (for example, email, bank account). Such a claim is always indicative of a phishing scam, as responsible companies and organizations will never take these types of actions via email.

Specific types of phishing

Phishing scams vary widely in terms of their complexity, the quality of the forgery, and the attacker's objective. Several distinct types of phishing have emerged.

Spear phishing

Phishing attacks directed at specific individuals, roles, or organizations are referred to as "spear phishing". Since these attacks are so pointed, attackers may go to great lengths to gather specific personal or institutional information in the hope of making the attack more believable and increasing the likelihood of its success.

The best defense against spear phishing is to carefully, securely discard information (i.e., using a cross-cut shredder) that could be used in such an attack. Further, be aware of data that may be relatively easily obtainable (for example, your title at work, your favorite places, or where you bank), and think before acting on seemingly random requests via email or phone.


The term "whaling" is used to describe phishing attacks (usually spear phishing) directed specifically at executive officers or other high-profile targets within a business, government, or other organization.

Avoid scams

To guard against phishing scams, consider the following:

  • Indiana University and other reputable organizations will never use email to request that you reply with your password, full Social Security number, or confidential personal information. Be suspicious of any email message that asks you to enter or verify personal information, through a website or by replying to the message itself. Never reply to or click the links in such a message. If you think the message may be legitimate, go directly to the company's website (i.e., type the real URL into your browser) or contact the company to see if you really do need to take the action described in the email message.
  • Read your email as plain text.

    Phishing messages often contain clickable images that look legitimate; by reading messages in plain text, you can see the URLs that any images point to. Additionally, when you allow your mail client to read HTML or other non-text-only formatting, attackers can take advantage of your mail client's ability to execute code, which leaves your computer vulnerable to viruses, worms, and Trojans.

  • If you choose to read your email in HTML format:
    • Hover your mouse over the links in each email message to display the actual URL. Check whether the hover-text link matches what's in the text, and whether the link looks like a site with which you would normally do business.

      On an iOS device, tap and hold your finger over a link to display the URL. Unfortunately, Android does not currently support this.

    • Before you click a link, check to see if the message sender used a digital signature when sending the message. A digital signature helps ensure that the message actually came from the sender.

When you recognize a phishing message, first report it as noted below, and then delete the email message from your Inbox, and then empty it from the deleted items folder to avoid accidentally accessing the websites it points to.

To learn more about guarding against phishing scams, see:


Reading email as plain text is a general best practice that, while avoiding some phishing attempts, won't avoid them all. Some legitimate sites use redirect scripts that don't check the redirects. Consequently, phishing perpetrators can use these scripts to redirect from legitimate sites to their fake sites.

Another tactic is to use a homograph attack, which, due to International Domain Name (IDN) support in modern browsers, allows attackers to use different language character sets to produce URLs that look remarkably like the authentic ones. See Don't Trust Your Eyes or URLs .

Report phishing attempts

  • If the phishing attempt targets IU in any way (for example, it asks for those using IU Exchange to "verify their accounts", includes a malicious PDF directed to university human resources, or impersonates IU or UITS), forward it with full headers to

    For instructions on displaying and sending full headers, see Display and send the full headers of an email message.

    The UIPO (University Information Policy Office) can take action only if the message asks for IU account credentials or originated from within IU. All other spam should be reported to the appropriate authority below. If the message did originate from within IU, see If you receive spam.
  • Outlook users can install the PhishMe Reporter add-in for Windows or Mac to report phishing attempts with a single click. The PhishMe Reporter add-in automatically includes the headers in the report. For more, see About the PhishMe Reporter add-in.
  • You can report a phishing scam attempt to the company that is being spoofed.
  • You can also send reports to the Federal Trade Commission (FTC) .
  • Depending on where you live, some local authorities also accept phishing scam reports.
  • Finally, you can send details to the Anti-Phishing Working Group , which is building a database of common scams to which people can refer.

For more about phishing scams, see Email & Phishing Scams .

If you've fallen for a phishing scam

For specifics about what to do if you're a victim of a phishing scam, see Email & Phishing Scams .

Example of a phishing scam

The following phishing scam was targeted at the IU community:


Date: Sat, 12 Jul 2008 17:42:05 -0400
To: <"Undisclosed-Recipient:;">

Dear INDIANA.EDU email Subscriber

This mail is to inform all our {INDIANA.EDU} users that we will be maintaining and upgrading our website in a couple of days from now.As a Subscriber you are required to send us your Email account details to enable us know if you are still making use of your mailbox. Be informed that we will be deleting all mail account that is not functioning to enable us create more space for new students and staffs of the school, You are to send your mail account details which are as follows:

*User Name:
*Date of birth:

Failure to do this will immediately render your email address deactivated from our database.

Thank you for using INDIANA.EDU



About email fraud

On this page:


Many types of fraud exist, and email is an inexpensive and popular method for distributing fraudulent messages to potential victims. Most fraud is carried out by people obtaining access to account numbers and passwords. Never respond to any message that asks you to send cash or personal information. You won't receive any riches, and you could actually get into legal trouble if you become involved with one of these scams.

Some of the most common fraudulent messages are non-monetary hoaxes or non-monetary chain mail. Treat these as you would spam; for more, see If you receive spam. However, if you receive an email message that appears to involve money, or asks for personal information, do not respond.

Below you'll find information about various types of email fraud. If you receive any of these types of messages, you can report them to the Federal Trade Commission. To do so, forward the message with full headers to If a message of this type appears to come from a valid Indiana University address, forward it with full headers to the University Information Policy Office (UIPO) at

The FBI and the US Postal Inspection Service, along with other partners, have launched a website to educate the public about internet schemes and to provide a central place for consumers to file complaints. The site offers an interactive online fraud risk test that lets users measure online safety habits relating to identity theft, financial fraud, internet auctions, counterfeiting, lottery scams, and computer privacy. It also provides prevention tips, details on current cyber scams, consumer alerts, victim stories, and an opportunity to share stories of cyber fraud. See Looks Too Good To Be True.

Personal information scams (phishing)

"Phishing" scams are currently the most popular and thus dangerous form of email fraud. They use email messages that appear to come from a legitimate company or institution, such as your bank or university, and ask you to "update" or "verify" your personal information; the scammers then use this information to commit identity theft.

Indiana University and other reputable organizations will never use email to request that you reply with your password, full Social Security number, or confidential personal information.

For more about identifying and avoiding phishing scams, see Avoid phishing scams.

Nigerian bank scams

A very common type of email fraud is advance fee fraud schemes. The perpetrators of advance fee fraud (sometimes referred to as Nigerian or foreign bank scams) are often very creative and innovative. This fraud is also called 4-1-9 fraud after the section of the Nigerian penal code that addresses fraud schemes. Nigerian nationals, purporting to be officials of government or banking institutions, will fax or email letters to individuals and businesses in the US and other countries. The correspondence states that a reputable foreign company or individual is needed for the deposit of an overpayment on a procurement contract. Some variations of this scheme have the son or daughter of a murdered official plead for your assistance in depositing an inheritance in a US bank. Individuals are asked to provide funds to cover various fees, and also are asked for personal identifiers such as Social Security numbers, bank account numbers, and other similar data. Once this information is received, the victims often find that their bank accounts are emptied. It is hard to pinpoint how much has been lost in these scams since many victims do not report their losses to authorities for fear of embarrassment.

You can report these types of messages to the Internet Crime Complaint Center, which provides a central referral mechanism for complaints involving internet-related crimes at the international, federal, state, and local level.

Sweepstakes, lottery, and prize scams

Similar to the Nigerian bank scam, these scams trick you into thinking you've won large amounts of money. You sometimes have to send personal information that is then used to rob you, or you are asked for processing fees for your fictitious winnings. Be suspicious if:

  • You know you didn't enter the competition or promotion that you've won.
  • You're asked for any sort of processing fee.
  • You're asked to buy "low-risk" shares in a fund for purchasing "high-stakes" tickets.
  • You're offered bait prizes that are substandard or you're asked to purchase "exclusive items".
  • Receipt of your prize requires travel or other arrangements at your own expense.

Do not reply to these types of messages. Instead, forward them with full headers to postmaster at the address where the message originated.

Pyramid schemes

This is a scheme in which a hierarchy is created by people joining under others who joined previously, and in which those who join make payments to those above them in the hierarchy, with the expectation of being able to collect payments from those who join below. Pyramid schemes are prohibited by US law, by the laws of each of the fifty individual states, and by the laws of most other nations. Pyramid schemes are variously defined under these laws either as a form of gambling or as outright fraud.

Ponzi schemes

These are named after Charles Ponzi, who ran such a scheme in 1919-1920. A Ponzi scheme is an investment scheme in which returns are paid to earlier investors entirely out of money paid into the scheme by newer investors. Ponzi schemes are similar to pyramid schemes, but differ in that Ponzi schemes are operated by a central company or person, who may or may not be making other false claims about how the money is being invested and about the source of the returns. Ponzi schemes don't necessarily involve a hierarchal structure, as in a pyramid scheme; there is merely one person or company collecting money from new participants and using this money to pay off promised returns to earlier participants. Ponzi schemes are not necessarily illegal, but they are difficult to distinguish from illegal pyramid schemes. In almost every case, only a very few early investors actually benefit from them.

Multilevel marketing (MLM) schemes

Multilevel marketing plans, also known as network or matrix marketing, are a way of selling goods or services through distributors. These plans typically promise that if you sign up as a distributor, you will receive commissions for both your own sales and those of other people you recruit to join the distributors. MLM plans usually promise to pay commissions through two or more levels of recruits, known as the distributor's downline. While some MLM schemes are supposedly legitimate, if a plan offers to pay commissions for recruiting new distributors, it likely is illegal. Most states outlaw this practice, which is known as pyramiding. State laws against pyramiding say that a multilevel marketing plan should pay commissions only for retail sales of goods or services, not for recruiting new distributors. Pyramiding is prohibited because plans that pay commissions for recruiting new distributors inevitably collapse when no new distributors can be recruited. When a plan collapses, most people, except perhaps those at the very top of the pyramid, lose their money.

Chain mail

Chain mail is a form of junk mail. A chain mail message is generally sent to several people and includes instructions that each person should forward the letter to several others. These messages waste system resources and often grow quite large as senders append their own additions. Do not forward such messages.

Email fraud and hoaxes often occur in chain mail. Never send money or personal information to people on lists via chain mail, or from whom you've received chain mail. For more, see About chain mail.

More resources

The information in this document is based on the following resources:

  • United States Secret Service. Public Awareness Advisory Regarding "4-1-9" or "Advance Fee Fraud" Schemes. Check the Protecting Yourself section of the United States Secret Service FAQ page.
  • Federal Trade Commission. Multilevel Marketing. You can find this publication online at the FTC's Bureau of Consumer Protection site.

Keep your passphrase secure

No one at Indiana University (including UITS), or anywhere else, should ask for your passphrase for any reason, whether in person or via phone, chat, email, postal mail, or online in any way. If you doubt the authenticity of any email message or website, or worry about your IT accounts, contact your campus Support Center as soon as possible.

The first step in keeping your passphrase secure is to create a good one. For details, see Your IU passphrase. After you've created a strong passphrase:

  • Never share your passphrase with anyone: It is against university policy to do so. This includes family, friends, significant others, computer support people, vendors, outside websites or applications, and bosses. If you need someone to read your email, that person can do so without your passphrase by using the delegates feature in Microsoft Outlook; see Allow others to send mail on your behalf in Outlook for Windows.
  • Use a passphrase vault: A passphrase vault is a program that balances the security of multiple passphrases with the convenience of recording them. You create a single strong passphrase to protect the passphrase vault, and the vault takes care of securely storing the rest of your hard-to-remember passphrases.
  • Change your passphrase if it is compromised: For instructions, see Change your IU passphrase.
  • Never send your passphrase in email, even if the request looks official: Not only is doing so against university policy (see the first suggestion in this list), but such requests are most likely phishing attempts.
  • Make your computer's administrative password and your IU passphrase different: Besides your IU passphrase, you should also have an administrative password for your computer, and the two should be different. For information about the administrative account, see About your device's administrator account.

Phishing attacks

What is a phishing attack

Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack or the revealing of sensitive information.

An attack can have devastating results. For individuals, this includes unauthorized purchases, the stealing of funds, or identify theft.

Moreover, phishing is often used to gain a foothold in corporate or governmental networks as a part of a larger attack, such as an advanced persistent threat (APT) event. In this latter scenario, employees are compromised in order to bypass security perimeters, distribute malware inside a closed environment, or gain privileged access to secured data.

An organization succumbing to such an attack typically sustains severe financial losses in addition to declining market share, reputation, and consumer trust. Depending on scope, a phishing attempt might escalate into a security incident from which a business will have a difficult time recovering.

Phishing attack examples

The following illustrates a common phishing scam attempt:

  • A spoofed email ostensibly from is mass-distributed to as many faculty members as possible.
  • The email claims that the user’s password is about to expire. Instructions are given to go to to renew their password within 24 hours.

Several things can occur by clicking the link. For example:

  • The user is redirected to, a bogus page appearing exactly like the real renewal page, where both new and existing passwords are requested. The attacker, monitoring the page, hijacks the original password to gain access to secured areas on the university network.
  • The user is sent to the actual password renewal page. However, while being redirected, a malicious script activates in the background to hijack the user’s session cookie. This results in a reflected XSS attack, giving the perpetrator privileged access to the university network.

Phishing techniques

Email phishing scams

Email phishing is a numbers game. An attacker sending out thousands of fraudulent messages can net significant information and sums of money, even if only a small percentage of recipients fall for the scam. As seen above, there are some techniques attackers use to increase their success rates.

For one, they will go to great lengths in designing phishing messages to mimic actual emails from a spoofed organization. Using the same phrasing, typefaces, logos, and signatures makes the messages appear legitimate.

In addition, attackers will usually try to push users into action by creating a sense of urgency. For example, as previously shown, an email could threaten account expiration and place the recipient on a timer. Applying such pressure causes the user to be less diligent and more prone to error.

Lastly, links inside messages resemble their legitimate counterparts, but typically have a misspelled domain name or extra subdomains. In the above example, the URL was changed to Similarities between the two addresses offer the impression of a secure link, making the recipient less aware that an attack is taking place.

Spear phishing

Spear phishing targets a specific person or enterprise, as opposed to random application users. It’s a more in depth version of phishing that requires special knowledge about an organization, including its power structure.

An attack might play out as follows:

  • A perpetrator researches names of employees within an organization’s marketing department and gains access to the latest project invoices.
  • Posing as the marketing director, the attacker emails a departmental project manager (PM) using a subject line that reads, Updated invoice for Q3 campaigns. The text, style, and included logo duplicate the organization’s standard email template.
  • A link in the email redirects to a password-protected internal document, which is in actuality a spoofed version of a stolen invoice.
  • The PM is requested to log in to view the document. The attacker steals his credentials, gaining full access to sensitive areas within the organization’s network.

By providing an attacker with valid login credentials, spear phishing is an effective method for executing the first stage of an APT.

Phishing protection

Phishing attack protection requires steps be taken by both users and enterprises.

For users, vigilance is key. A spoofed message often contains subtle mistakes that expose its true identity. These can include spelling mistakes or changes to domain names, as seen in the earlier URL example. Users should also stop and think about why they’re even receiving such an email.

For enterprises, a number of steps can be taken to mitigate both phishing and spear phishing attacks:

  • Two-factor authentication (2FA) is the most effective method for countering phishing attacks, as it adds an extra verification layer when logging in to sensitive applications. 2FA relies on users having two things: something they know, such as a password and user name, and something they have, such as their smartphones. Even when employees are compromised, 2FA prevents the use of their compromised credentials, since these alone are insufficient to gain entry.
  • In addition to using 2FA, organizations should enforce strict password managment policies. For example, employees should be required to frequently change their passwords and to not be allowed to reuse password for multiple applications.
  • Educational campaigns can also help diminish the threat of phishing attacks by enforcing secure practices, such as not clicking on extrenal email links.

Phishing Protection from Imperva

    Imperva offers a combination of access management and web application security solutions to counter phishing attempts:

  • Imperva Login Protect lets you deploy 2FA protection for URL addresses in your website or web application. This includes addresses having URL parameters or AJAX pages, where 2FA protection is normally harder to implement. The solution can be deployed in seconds with just a few clicks of a mouse. It doesn’t require any hardware or software installation and enables easy management of user roles and privileges directly from your Imperva dashboard.
  • Working within the cloud, Imperva Web Application Firewall (WAF) blocks malicious requests at the edge of your network. This includes preventing malware injection attempts by compromised insiders in addition to reflected XSS attacks deriving from a phishing episode.