Phishing

Phishing - /'fiSHiNG/ - Phishing is an attempt by malicious actors pretending to be a legitimate enterprise for the purpose of stealing private information, such as Username and Passwords, Social Security Numbers (SSN), Date of Birth, and Banking information.

LSU IT Security & Policy (ITSP) is dedicated to improving the security posture of the university in addition to helping our community members learn how to improve their own security. ITSP reviews phishing messages received by LSU Community to implement preventive security measures for our Campus network and our email services. Additionally, LSU has implemented a phishing awareness program to educate our user community regarding types of phishing messages.

ITSP’s comprehensive phishing awareness program seeks to educate our users to recognize malicious content by running regular phishing simulations. Beginning Fall 2023, at the completion of each simulated phishing campaign, ITSP will choose two reporters to win an LSU prize bundle. One student and one employee will be chosen at random from each month’s reporters.

To qualify for the prize, you must report the phish using the Cofense Reporter button in Outlook or Outlook Web. Winners will be notified by a member of ITSP via email the week following the conclusion of each campaign. For details on how to report phishing, please refer to the "Report Suspicious E-mails" section below.

ITSP has implemented a phishing reporting tool called Cofense Reporter. The application conveniently integrates directly with Outlook mail clients and Office365, providing LSU users a quick and easy mechanism to report phishing e-mails.

  • Use Cofense Reporter to report a phishing e-mail to LSU ITSP. This method will be the only one utilized to identify winners for the Phishing Awareness Program
  • If Cofense Reporter is not an available option for you, please report phishing messages to LSU ITSP.

Here are three quick steps you can take to identify phishing emails:

  1. Check the sender: Check the domain of the sender's address. Phishing emails will often come from unfamiliar domains.
  2. Check the body: Phishing emails often try to create a sense of fear and urgency in subject lines, hoping users will comply. Grammatical errors are common as well as random use of capitalization. 
  3. Check the destination: Always review links prior to clicking, and in the event the link has been clicked, please review the destination website for confirmation that the URL is accurate and valid. When possible, opt to go directly to a site through your browser instead of clicking in a link.

Phishing attacks are not isolated to emails.  Get familiar with these terms:

  • Smishing: fraudulent text messages 
  • Vishing: fraudulent phone calls from scammers impersonating legitimate businesses 

To protect yourself from smishing and vishing:

  • Be suspicious of all unknown callers and unexpected text messages.
  • Don't inherently trust caller ID. Phone numbers can be spoofed, i.e. the number on caller ID may not be the actual number calling you.
  • If you are unsure about a caller, ask lots of questions. If a caller is asking for personal information or wants you to purchase something, ask for company information and inform them that you will call back. You can search for the company and their customer support number to call back and confirm. 

If you believe you have fallen for a phish, please take the following actions:

  • If you accidentally shared your username and password, please change your password immediately. Note: The new password must be unique and should not have been used anywhere else. If you use the same password for different services, you must change passwords for other services as well.
  • If you shared your banking (credit card, debit card, bank account, etc.) information, please reach out to your financial institutions.
  • If you shared any other personally identifiable information (Social Security Numbers, Date of Birth, etc.), you should take necessary steps to monitor your credit for any unauthorized changes. View our information on Identity Theft  for details on how to freeze your credit.

 

LSU ITS will never:

  • Request that you validate or share your myLSU/PAWS/e-mail account information and password through email.
  • Request any of your personally identifiable information, such as SSN, Date-of-Birth, etc. via e-mail.