Home

Cybersecurity Basics

Phishing Awareness

Resources & Tools

Reporting a Threat

Contact Us

Phishing is a type of cyber attack where attackers attempt to trick individuals into providing sensitive information like usernames, passwords, or credit card details by pretending to be a legitimate entity. These scams often occur through email but can also be carried out via text messages (SMS phishing or "smishing") or phone calls (voice phishing or "vishing").

1. Fake Emails from Trusted Sources
   Attackers create emails that appear to come from trusted entities, such as a school district, government agency, or online service like Google or Microsoft. These emails often contain urgent requests, asking recipients to click on a link or download an attachment. Example: "Your account will be suspended unless you verify your identity. Click here to confirm your credentials."

2. Spear Phishing
   A more targeted approach where the attacker customizes the phishing attempt, typically focusing on a particular individual or organization. These emails may include personal details that make the attack appear more credible. Example: "Dear Mr. Smith, based on your recent password reset request, please click this link to update your login details."

3. Link Manipulation
   Phishing emails often include links that appear legitimate but redirect the user to malicious websites designed to steal login credentials or other sensitive information. Example: An email asks you to click on a URL like www.bankofamerica-secure.com, which is a deceptive look-alike to www.bankofamerica.com.

4. Impersonating School or IT Support
   Emails may claim to be from the school’s IT department, asking for passwords or personal details to resolve a technical issue. Example: "Your account has been compromised, and we need your username and password to secure it."

Understanding phishing tactics is the first step, but being able to spot red flags in suspicious emails is key to preventing a phishing attack.

1. Urgent Language or Threats
   Phishing emails often use language that creates a sense of urgency, such as "Your account will be deactivated unless you take immediate action."

2. Unexpected Attachments or Links
   If an email contains an unexpected attachment or asks you to click on a link to update your information, be cautious. Always verify the legitimacy of the sender.

3. Incorrect Grammar or Spelling
   Phishing attempts frequently contain poor grammar or unusual sentence structures, which is a major indicator that something is wrong.

4. Unfamiliar Sender Email Address
   Even if the name in the email looks legitimate, the email address may be slightly off. For example, instead of admin@school.com, the phishing email may use admin@sch00l.com.

1. Do Not Click on Links
   If an email looks suspicious, do not click on any embedded links or attachments. Instead, hover over the link to check the URL or manually type the web address into your browser.

2. Verify the Sender
   If the email claims to be from someone you know or an organization you trust, reach out to them directly (without replying to the email) to verify its legitimacy.

3. Report Suspicious Emails
   Always report potential phishing emails to your IT department. At Albany County School District, we encourage you to forward any suspicious emails here or put in a help desk support ticket at https://kace.acsd1.org. You can also report phishing and spam email right in your Outlook email by selecting the Report button.

• Enable Multi-Factor Authentication (MFA)
  Adding an extra layer of security with MFA can help protect accounts even if your password is compromised.

• Keep Software Updated
  Ensure that your computer’s operating system, browser, and security software are up-to-date with the latest security patches.

• Train and Stay Informed
  Cyber threats evolve quickly, so it's important to stay updated. Regular training sessions on phishing can help users recognize attacks more effectively.

• Use Strong Passwords
  Strong, unique passwords for each account can limit the impact if one of your passwords is exposed in a phishing attack.

1.  Facebook and Google

Between 2013 and 2015, Facebook and Google were tricked out of $100 million due to an extended phishing campaign. The phisher took advantage of the fact that both companies used Quanta, a Taiwan-based company, as a vendor. The attacker sent a series of fake invoices to the company that impersonated Quanta, which both Facebook and Google paid.

 Eventually, the scam was discovered, and Facebook and Google took action through the US legal system. The attacker was arrested and extradited from Lithuania, and, as a result of the legal proceedings, Facebook and Google were able to recover $49.7 million of the $100 million stolen from them.

2. Crelan Bank

Crelan Bank, in Belgium, was the victim of a business email compromise (BEC) scam that cost the company approximately $75.8 million. This type of attack involves the phisher compromising the account of a high-level executive within a company and instructing their employees to transfer money to an account controlled by the attacker. The Crelan Bank phishing attack was discovered during an internal audit, and the organization was able to absorb the loss since it had sufficient internal reserves.

3. FACC

FACC, an Austrian manufacturer of aerospace parts, also lost a significant amount of money to a BEC scam. In 2016, the organization announced the attack and revealed that a phisher posing as the company’s CEO instructed an employee in the accounting department to send $61 million to an attacker-controlled bank account.

 This case was unusual in that the organization chose to fire and take legal action against its CEO and CFO. The company sought $11 million in damages from the two executives due to their failure to properly implement security controls and internal supervision that could have prevented the attack. This lawsuit demonstrated the personal risk to organization’s executives of not performing “due diligence” with regard to cybersecurity.

4. Upsher-Smith Laboratories

In 2014, a BEC attack against a Minnesotan drug company resulted in the loss of over $39 million to the attackers. The phisher impersonated the CEO of Upsher-Smith Laboratories and sent emails to the organization’s accounts payable coordinator with instructions to send certain wire transfers and to follow the instructions of a “lawyer” working with the attackers.

 The attack was discovered midway through, enabling the company to recall one of the nine wire transfers sent. This decreased the cost to the company from $50 million to $39 million. The company decided to sue its bank for making the transfers despite numerous missed “red flags”.

 5. Ubiquiti Networks

In 2015, Ubiquiti Networks, a computer networking company based in the US, was the victim of a BEC attack that cost the company $46.7 million (of which they expected to recover at least $15 million). The attacker impersonated the company’s CEO and lawyer and instructed the company’s Chief Accounting Officer to make a series of transfers to close a secret acquisition. Over the course of 17 days, the company made 14 wire transfers to accounts in Russia, Hungary, China, and Poland.

 The incident only came to Ubiquiti’s attention when it was notified by the FBI that the company’s Hong Kong bank account may have been the victim of fraud. This enabled the company to stop any future transfers and attempt to recover as much of the $46.7 million stolen as possible (which represented roughly 10% of the company’s cash position).

• StaySafeOnline - Phishing Guide

• FTC - How to Recognize and Avoid Phishing Scams

• Anti-Phishing Working Group (APWG)