Department of Information Technology

4 Common Phishing Strategies and How to Avoid Them  

Logo for the Do Not Feed the Phish campaign. Phishing is the most frequently used tactic to steal someone's password, identity, money, and time. Outlined below are the four most common phishing scams utilized by cyber criminals. Many phishing emails try to trick you into clicking a malicious link. This allows criminals to access sensitive information, compromise the university network, or even infect your computer with malware.

1. Quick Favor / Reply

Sender sends a very informal email asking if recipient can do a quick favor. Replies are met with a story by the sender who claims to be in a meeting and can’t get out or use cell phone and asks the recipient if they can buy a certain amount of gift cards. The scammed will instruct the victim to scratch off the codes on the back and send pictures of the code numbers. Often, the sender's email address of this type of phish appears to be a Seton Hall user and is sent to the spoofed person’s co-workers to try and get a friendly response.

2. Invoice Notification / Order Confirmation

There are two methods to this scam. In the first, the invoice is demanding payment for services rendered or products bought. The second, tells recipient their payment is confirmed and a receipt is attached, instructing the user to call a given number if they have any questions. Calls are most likely met with a very friendly person on the other end who cheerfully can do a full refund and asks the recipient for their credit card information so they can process the refund. Once credit card info is given the other person hangs up and starts using the card before it can be reported as stolen.

3. Shared Document

An email informs the recipient they have received a shared document and includes a URL to click. Users who click are taken to another page to continue to the shared document and this click usually takes the user to a fake Microsoft login page used to steal the user’s login credentials.

4. Password or Account Expiring

Recipient is notified that their password or account is about to expire and click a button to keep using it. Button usually goes to fake Microsoft login page to steal login credentials.

Quick Keys to Stay Safe Online

  1. When in doubt, don't click. Do not click anything in the email unless you are absolutely sure you know who it is from and where the link will take you.
  2. Who is it from? Before taking any action, review the from address to confirm it matches the sender's name.
  3. Check with the source. If the email is coming from someone you know but aren't sure, contact the person directly via phone or a separate email message.
  4. If you see something, say something. If an email looks suspicious, click the Report Phish button to alert IT Security.

Screenshot of the Report Phish button found in Outlook

If you see something, say something. The Report Phish button instantly notifies the IT Security team of suspicious emails that may pose a threat to you and the Seton Hall community. The feature is available in Outlook, Outlook for Web, and the Outlook mobile app for iOS and Android.

Categories: Science and Technology

For more information, please contact: