Skip to main contentReport an accessibility problemASU HomeMy ASUColleges and Schools
Sign In
Arizona State UniversityArizona State University
Get Protected
  • Home
  • Services
    • Overview
    • Vendor IT Risk Assessments
    • Vulnerability Management
    • CMDB for Web Applications
    • Incident Response
    • IT Risk Assessment
    • Phishing Response
  • Compliance & Regulations
    • Overview
    • CMMC
  • Training
    • ASU Information Security Training
    • ASU and FERPA
    • ASU and HIPAA
    • Cybersecurity Awareness Month
  • Policy & Practices
    • Overview
    • Effective Practices
    • Identity Theft Protection
    • Physical Security
    • Policies & Standards
    • Security Tips

      Data

    • Device & Data Encryption
    • Data Storage
    • Logging Best Practices
    • Data Classification Tool

      Remote

    • Telecommuting, Mobile and Travel Safety
  • Communities
    • Privacy Champions
    • External Groups
    • Student Technology Advisory Board
    • ET Community of Practice
  • About Us
  • Contact Us

Phishing Response

What Are Phishing Campaigns?

Phishing is a type of cyber attack where attackers impersonate legitimate organizations or trusted entities to deceive individuals into revealing sensitive information, such as usernames, passwords, credit card numbers, or other personal data. These fraudulent attempts frequently occur through email, online messaging, text messages (SMS), phone calls, or social platforms.

Phishing campaigns are increasingly sophisticated, making it harder for individuals to distinguish between legitimate and malicious communications. This type of attack can be highly damaging, leading to identity theft, financial loss, and unauthorized access to sensitive accounts or systems.

ASU will never send emails asking for your password or login information. Beware of emails that ask for your personal information, login credential, DUO auth codes, or financial information. If you suspect you have received a phishing message you can find instructions on reporting to the ASU Security Operations Center below.

Letter inside open envelope

The main goal of phishing attacks is to trick users into providing personal or financial information that can be used for malicious purposes. Here are some common objectives of phishing campaigns:

  1. Stealing Personal Information: Attackers may attempt to steal sensitive information such as usernames, passwords, social security numbers, and bank account details.
  2. Financial Theft: Cybercriminals often use phishing to steal money, by gaining access to bank accounts, credit cards, or even launching fraudulent transactions.
  3. Credential Harvesting: Many phishing attacks focus on obtaining login credentials for websites or applications. With these credentials, attackers can compromise user accounts and use them for malicious purposes, such as fraud or spamming.
  4. Installing Malware: Phishing emails or websites may include malicious attachments or links that, when clicked, install malware on your device. This malware can then steal data, track activities, or give attackers control of your system.
  5. Business Email Compromise (BEC): In a more targeted form of phishing, attackers may attempt to compromise the business account of executives or trusted partners in an organization so they can use those accounts to deceive their targets. The goal of these campaigns is for the cybercriminal to have access to the account and use it to send their phishing campaign to other internal users.

Phishing can take many forms on many different communication platforms. Here are a few of the most common types:

  1. Email Phishing: The most common type of phishing, where attackers send fake emails that appear to be from legitimate sources (banks, online services, etc.). These emails often contain urgent messages asking recipients to click on a malicious link or provide sensitive data.
  2. Spear Phishing: A more targeted form of phishing, where attackers customize their messages to a specific individual or organization. Spear phishing often involves gathering personal information about the victim to increase the likelihood of success.
  3. Smishing: This type of phishing occurs through SMS or text messages, where attackers send deceptive messages asking the recipient to click on links or provide sensitive data.
  4. Vishing: Also known as voice phishing, this involves fraudulent phone calls where attackers pose as legitimate entities (such as a bank or government agency) to trick victims into providing personal information.
  5. Whaling: A form of phishing specifically targeting high-level executives or "big fish" within a company. The attacks are often highly personalized and sophisticated, with the goal of stealing large sums of money or confidential information.
  6. Clone Phishing: Attackers recreate a legitimate email that the victim has previously received and modify it to include a malicious link or attachment. This form of phishing exploits the trust the victim has in the original sender.

Phishing attempts are increasingly sophisticated, but there are still some red flags that can help you spot them:

  1. Suspicious Email Addresses: Check the sender's email address carefully. Phishing emails often come from addresses that look similar to legitimate ones but have subtle differences (e.g., support@paypa1.com instead of support@paypal.com).
  2. Generic Greetings: Legitimate organizations typically address you by your name. Phishing emails may use vague greetings like "Dear Customer" or "Dear User" to avoid personalization.
  3. Urgent or Threatening Language: Phishing emails often create a sense of urgency, such as claiming your account has been compromised or you need to act immediately to avoid negative consequences. Legitimate organizations typically don’t pressure you like this.
  4. Unexpected Attachments or Links: Be cautious of emails that contain attachments or links, especially if they’re unsolicited or you weren't expecting them. Hover over the link (don’t click) to check if the URL matches the legitimate website.
  5. Spelling and Grammar Errors: Phishing emails often contain spelling mistakes, grammatical errors, or awkward phrasing that is uncommon in professional communications.
  6. Too Good to Be True Offers: Be skeptical of emails promising large sums of money, free prizes, or discounts that seem too good to be true. Legitimate organizations don’t typically make such offers via email.

While phishing attacks can be highly deceptive, there are several strategies you can use to avoid falling victim:

  1. Verify the Sender: If you receive an email, text, or phone call from a company or organization, don’t respond directly. Instead, go to their official website and use contact information from there to verify the legitimacy of the message.
  2. Use Two-Factor Authentication (2FA): Enable two-factor authentication on your accounts wherever possible. This adds an extra layer of security, making it harder for attackers to access your accounts, even if they manage to steal your password.
  3. Keep Software and Systems Updated: Regularly update your operating system, software, and antivirus programs. This helps protect against known vulnerabilities that phishing campaigns may attempt to exploit.
  4. Don’t Click on Suspicious Links: If you’re unsure about an email or message, don’t click on any links or open attachments. Instead, visit the website directly by typing the URL into your browser.
  5. Educate Yourself and Others: Awareness is one of the most powerful tools in preventing phishing. Regularly educate yourself and your organization about common phishing tactics and how to spot them.
  6. Use Anti-Phishing Tools: Many modern browsers, email providers, and security software offer built-in protection against phishing attacks. Use these tools to help identify and block suspicious websites and emails.
  7. Report Phishing Attempts: If you receive a phishing email or message, report it to the ASU Security Operation Center to open an investigation. Reporting helps others avoid falling victim.

 

Reporting Phishing at ASU

To report a suspicious message, please contact the ASU Security Operation Center one of the following methods: 

For Email Phishing:

  • Download and attach the suspicious email and send it as a new email to ReportPhish@asu.edu, following our instructions for forwarding emails as attachments. 
  • If you are unable to send the email as an attachment, please forward the email to ReportPhish@asu.edu and copy the email Headers (from, to, cc, date, subject, signed-by, mailed-by, …) from the top of the forwarded email into the forwarded message.
  • Do not forward the email to anyone else and instead report it directly to ASU Security Operations Center.

For other ASU managed communication platforms (Zoom Phone, Slack, ASU Branded Impersonation, …):

  • Please send an email with the relevant details to ReportPhish@asu.edu

After reporting a suspicious message to ASU Security Operation Center, please consider adding the sender to your block list in your email client. A sender can be added to the blocked list in the Microsoft Exchange (Outlook) environment, or Gmail, by clicking the ‘More’ button next to ‘Reply,’ and selecting the ‘Report Phishing’ option.

Get Protected | Arizona State University

Contact Us

About
About Us Inaccessible
Resources
Policies & Standards Remote Work Security Training
Services
Inaccessible Inaccessible Incidence Response Vulnerability Management
Maps and Locations Jobs Directory Contact ASU My ASU
Repeatedly ranked #1 on 20+ lists in the last 3 years
Copyright and Trademark Accessibility Privacy Terms of Use Emergency