Don't Get Phished In

A phishing scam is an attempt to fish for personal information and access to accounts by posing as a trusted source, like a bank, an IT department, a government official, or even a friend.  To learn more about how to avoid getting "phished in", read on...

1. Avoid giving your passwords to third-party sites.

Don't offer up your password to anyone or anywhere but to the site to which it belongs.  If there is an issue with your account, a real IT professional won't need to ask you for your password; he or she can reset it. 

If you want an application to work with your Facebook, your Twitter, or other account, there should be APIs (or application programming interfaces) that allow it to do so without you sharing your password.  Many Twitter and Facebook accounts have been hacked by people sharing their passwords with malevolent applications.  These applications then message their friends with spam, phishing scams, or other security threats.  Which brings us to...

2. Always verify links and attachments before clicking on them.

If you have ever worked on a Web page, you know how easy it is code a hyperlink (legitimate website).  You could get a link that looks like it's from you bank, but link to someone's fake site.  You could get a link that looks like a funny video from a friend, but it was a virus or malware from a friends hacked account.

Attachments can contain malware, or software that runs without your consent (viruses, worms, spyware, etc.)  Many other file types, including Microsoft Office files, can contain malicious code.  (If you've ever opened an Office file and gotten a security warning about macros, this because viruses can be sent through the marcos in any office file.)

Before you click, try the following:

1. Make sure the sender is legitimate and he or she intended to send it. .  Call the sender on the phone if you weren’t expecting an attachment.  (If you are sending an attachment, let recipients know in person or via phone to expect it.)
2. Hover over the hyperlinks to check URLS before clicking on them.  (Does the URL match the text of the link?  Do you recognize the URL where you are being sent?  Be suspicious of URLs that are a few letters off from legitimate sites or substitute .gov with .com, etc.)
3. Weigh the risks with the benefits. 

3. Know what you are downloading and/or installing.

Don't treat downloading and installing like an impulse buy.  Make sure people you know and trust have heard of the application.  Ask I-Tech if they know of any compatibility issues it may have.

Just like coding a hyperlink to say anything, buttons can be coded to do anything as well.  If you ever get prompted to install software that you don't want and you are suspicious of it, don't just close or cancel:

1. Press CTRL+ALT+DEL.
2. In Task Manager click on the Applications tab.
3. Select the program or browser asking you to install and click the End Task button.

4. Keep yourself up-to-date.

Threats are out there.  Just as we get smarter and the software to prevent attacks gets better, the criminals are getting smarter and creating better ways to compromise your machine.  You need to treat security as an ongoing process:

1. Clean up old files so backups and scans run faster.  (See https://intranet.libraries.psu.edu/home/itech/training/tutorials/cleaup.html)
2. Make sure your regular backup is running and set properly so that it includes the files you need.  (See https://wikispaces.psu.edu/display/training/Backup+Checkup)
3. Keep virus definitions updated.
4. Run regular virus scans.