Think Before You Click

Social Engineering & Phishing
What to Look Out For

There are many online threats, and some of them might be hiding in your email inbox. Cyber-criminals often use a tactic called social engineering, which means they try to manipulate people by playing on emotions like trust, fear, or urgency. Their goal is to get you to act quickly without thinking and share private information or click on harmful links. These attackers often pretend to be someone you know or trust, like a bank, a company, or even a coworker. They use deception and impersonation to make their messages seem real.

One of the most common types of social engineering is called phishing. In a phishing attack, someone sends a fake message that appears official, hoping you'll click a link or give away sensitive information like passwords, credit card numbers, or login details. These messages can be sent via email, text, or even fake websites. The links they include often look legitimate at first glance, but they're designed to steal your information.

At FIU, the IT Security Office (ITSO) provides resources to help students, faculty, and staff recognize and report phishing attempts. They highlight common tactics like email spoofing, fake job offers, and urgent requests for personal information. FIU also offers a tool called the Phish Alert Button in your university email, which lets you quickly report suspicious messages to the security team. Additionally, completing the university's Cybersecurity Awareness Training is a great way to stay informed about phishing and other online threats.

To protect yourself, always be cautious with unexpected messages. Check the sender's email address, look for signs of urgency or fear, and avoid clicking on suspicious links. If something feels off, trust your instincts and report it. Staying informed and alert is the best way to avoid falling for these scams.

What to Look Out For:

Suspicious Sender Addresses: Check if the sender's email address is slightly misspelled or unfamiliar.
Urgent or Threatening Language: Messages that pressure you to act quickly (e.g., 'Your account will be locked!').
Unexpected Attachments or Links: Be cautious of files or links you weren't expecting, especially if they prompt you to log in.
Generic Greetings: Phrases like “Dear Customer ' instead of your actual name.
Requests for Sensitive Info: Legitimate organizations rarely ask for personal data via email or text.
Look-alike Websites: Fake sites may closely mimic real ones but have odd URLs or design flaws.
Spoofed URLs: Hover over links to check the actual destination. Look for subtle misspellings or extra characters (e.g., www.papya1.com instead of www.paypal.com).
Poor Grammar or Spelling: Many phishing emails contain awkward phrasing or typos.
Too-Good-To-Be-True Offers: Promises of prizes, money, or gifts in exchange for clicking a link or filling out a form.
Unusual Timing: Emails sent at odd hours or with timestamps that don't match the sender's usual behavior.
Mismatch Between Display Name and Email Address: The name might say Microsoft Support, but the email is from a different domain.

Expand all

Deception Phishing (Impersonation-based)
- The attacker pretends to be a legitimate organization (e.g., a bank, IT department, or vendor).
- The phishing attempt will often appear to be from a well-known or trusted brand.
- Alternatively, they may impersonate individuals in positions of power, such as an executive or professor.
- Sometimes the email or communication will come from a legitimate account that has been compromised by an attacker.
- They will attempt to trick the victim into clicking a malicious link or providing credentials.
Spear Phishing & Whaling
Spear Phishing
- Highly targeted and personalized with a specific intended victim, the attacker will often impersonate a known contact or colleague.
- The attacker may or may not impersonate a well-known brand.
Whaling
- Aimed at high-profile targets (e.g., executives, board members, or senior managers), often using social engineering rather than brand impersonation.
- Attackers often research the target’s role, habits, and relationships to craft convincing messages.
- May reference real business events, meetings, or internal projects.
- It may come from a Look-alike domain or even a real executive’s compromised account.
- Emails often mimic corporate communication styles and may use company branding.
- Less likely to contain obvious spelling or grammar mistakes.
Clone Phishing
- A legitimate email is copied and resent with malicious links or attachments swapped in.
- Looks identical to the original legitimate email.
- The email is sent from a Look-alike address:
  (e.g., john.doe@company-support.com instead of john.doe@company.com).
- Sometimes, the attacker uses a compromised legitimate account to send the clone.
- Because the email looks familiar and references a previous conversation or document, the victim is more likely to click or download without suspicion.
Phishing Without Impersonation
- Some phishing emails may not impersonate anyone at all. Instead, they use:
  - Curiosity: “See who viewed your profile.”
  - Fear: “Your device is infected!”
  - Greed: “You’ve won a prize!”
- These rely on emotional triggers rather than trust in a brand or person.
- These emotions make a person act more impulsively, causing them to take less time to consider the legitimacy of the email.

Search this website

Think Before You Click