What is phishing?

Phishing (pronounced "fishing") is a technique used by criminals to obtain sensitive personal information such as account details, PIN, credit card number, user ID or password, through the Internet. Once such sensitive information is obtained from you, the criminals will have access to your account to perform unauthorized transactions. This activity is similar to “social engineering,” but unlike social engineering, phishing takes a passive approach of sending out mass emails and hoping someone takes the bait.

What are the tell-tale signs?

Many tricks are involved in phishing scams. The most common method is sending you a spoofed email purporting to be from a trusted sources such as your bank, credit card company, service provider, or IT department. The email will usually use one of the following tactics to trick you into acting on their instructions:

"Your account is currently being updated as we are introducing a new security system. Follow the instructions below to reactivate your account."

"Your credit card is the subject of a police investigation for fraud. Please follow the instructions below."

"Our records indicate that payment for your Internet account is due. We are also currently introducing a new e-payment service. Please follow the instructions below."

"You are the lucky winner of our lucky draw. Please submit your credit card details so that we can verify your identity."

The following are examples of the instructions you may be asked to follow:

"Please provide a return email with your account details, PIN, or credit card number. We will reactivate your account as soon as we receive your email."

"Please click on the hyperlink below to update your personal details."

"Please click on the attachment below. This will automatically generate an alert on our side. We will update your account and inform you."

The motive of these instructions is to make you disclose your personal details such as your PIN, credit card number, or user ID or password, which the criminals can use to access your account. If you follow the links or attachments in the email, you may be directed to a fake website that looks almost identical to the website of your bank or credit card company. These fake websites are created to trick you into divulging your login credentials and personal information. There are also some emails with attachments containing viruses, worms, malware, spyware or trojans which may infect your PC and allow criminals to monitor your every keystroke and in doing so capture your personal information.

Tips to protect yourself and VCS

Your bank will never send you emails asking you to divulge any confidential or personal information. You should report such emails to your bank and then discard them.

You should never reveal your PIN to anyone. No bank should ever ask you for your PIN for whatever reasons.

Do not click on any link to log on to bank websites or open attachments in emails purportedly sent to you by your bank, credit card company or service provider.

Always enter the full URL or domain name of your bank or credit card company into your browser address bar. If you are unsure of their web address, contact them for the information.

Always check your credit card and bank account statements for any suspicious or unauthorized transactions. If you detect anything unusual, contact your bank immediately.

Do check your bank's website for more information on Internet security. In the event that you think you have become a victim of phishing scam, contact your bank immediately.

IT will never send you emails asking you to divulge any confidential or personal information. You should immediately report these or any such emails to IT, as these are likely to be phishing attacks.

VCS uses an advanced firewall, anti-virus and anti-spyware on our computers and we update them regularly. However, it is ultimately up to the individual to make wise choices that keep their data, and the data of the organization, safe from malicious attacks. Our firewall can't be effective if users choose to click on malicious attachments or links in email.

Remember to log off each time you have finished your confidential activities. Do not walk away from your computer for any length of time without at least locking your desktop. A full shut down is not necessary. 

Always select passwords that are difficult to guess and when you change your passwords, do not simply append a single digit to the end.

You can protect yourself from phishing scams if you take the necessary precautions to safeguard your personal information and the information of VCS' faculty, staff, and students.