Phishing FAQ

Table of Contents

• What is phishing?
• How can I detect phishing attempts?
• What can I do to protect myself?
• What are some examples of phishing?
• How do I report suspected phishing?
• Phishing Tournament Q&A's

What is phishing?

• Phishing is a fraudulent activity whose main objective is to obtain your personal information, e.g. account credentials, credit card numbers.
• Perpetrators pretend to be a trusted entity such as a person or business you already know, or might plausibly interact with.
• Phishing is most often done by email but can originate from other sources, e.g. text messages.

How can I detect phishing attempts?

Phishing scams can be very sophisticated but a phishing email often has the following characteristics:

• Reports suspicious activity on your account.
• Requests confirmation of your personal information.
• Requests that you update your payment details.
• Includes a link to a website or an attachment to be downloaded.
• Often has a generic, non-personalized greeting.
• Calls for immediate action.
• Includes offers that appear too good to be true.

What can I do to protect myself?

Your diligence is the best preventative measure. Here are some common-sense steps to follow:

• Don't open suspicious emails, e.g. emails with alarming subject lines or from suspicious senders.
• Check the sender's email address.
  • Are they who they claim to be?
  • Does the name displayed match the actual email address being used?
• Don't click or tap on suspicious links!
  • If you’re on a computer, use your mouse to hover over the link to verify the link's target.
• Don't provide any account or personal financial information – legitimate entities do not request this via email.
• Don't download files from unfamiliar people.
• Don't open attachments from any unrecognized external email addresses or phone numbers.
• Get someone else's opinion.
  • Ask a coworker: Were we expecting an email from this sender?
  • Ask a friend: Does this email look strange to you?
• If you think the email might be legitimate but have any doubts, contact the person or business directly using your own contact information.

What are some examples of phishing?

• See Known Phishing Scams for ongoing examples of email scams that have been reported.
• COVID-19 Phishing Scams highlights those scams specific to COVID-19.

How do I report suspected phishing?

• See How to report Spam, Phishing, and Not Junk for Microsoft email settings that help filter phishing and spam emails.
• To report a phishing or spam email forward the message to phishing@dartmouth.edu. The Dartmouth security team monitors this address to collect and analyse all incoming reports.
• If you have already responded to the email, do the following:
  • If you've provided account credentials, update those credentials as soon as possible.
  • If you've given out credit card information, notify the credit card provider.
• Non-work related incidents can be reported to the Federal Trade Commission.

Phishing Tournament Q&As

• Q: How soon do scores get added to leaderboard?
• A: Farm-raised phish: Immediately;  Wild Phish: within a day if accepted;  Stocked phish: within 2 hours of reporting.
• Q: Where do you report Wild and Stocked phish?
• A: phishing@dartmouth.edu
• Q: When do you pick up prizes?
• A: All prizes will be distributed at the end of the tournament. You will be contacted to arrange distribution.
• Q: How often do you send out Stocked phish?
• A: 1 or more times per day, Monday thru Friday
• Q: How often do you add Farm-raised phish (new quizzes)?
• A: 1 or more times per day, Monday thru Friday.
• Q: Do you send out Wild Phish?
• A: No, Wild Phish are sent via external sources to your Dartmouth email that are trying to Phish you for sensitive or confidential information.
• Q: Do we have to describe what type of phish we get? Like wild or stock. Or just forward it to you?
• A: No we can determine this and you just need to forward the email to phishing@dartmouth.edu
• Q: I am wondering whether each point (above 3 points) in the GoPhish tournament translates to one entry in the daily raffle, or if anyone who has at least 3 points, has exactly 1 entry? In other words, do my chances of winning in the raffle increase proportionately with the number of points?
• A: Once you catch 3 phish you are entered into the daily raffle. Each contestant only gets 1 entry
• Q: Do errors on the quizzes (farm raised phish) effect our score?
• A: No, as long as you find all correct answers in a quiz you will get credit for 1 phish in your score.
• Q: Why did the stocked phish I sent to phishing@dartmouth.edu not show up in my score?
• A: Our team is processing a lot of phish on a daily basis and sometimes we miss a few for various reasons. They are recorded in the phish processing engine so once we know we missed them you be awarded the points.
• Q: I am a Dartmouth College employee, however I work for the Geisel and Dartmouth Hitchcock fundraising development office. We cannot forward email from Hitchcock to Dartmouth email, so we all have to forward our Dartmouth email to our Hitchcock email. Thus I only use my Hitchcock email, and have been forwarding my phishing emails from my @hitchcock.org account. Will my emails be counted in the fishing totals?
• A: We are actively working on scoring these types of emails.  There may be slight delays in scoring these.
• Q: What is the difference between a phishing and a spam email when it comes to collecting wild phish?
• A: All emails forwarded to phishing@dartmouth.edu are reviewed to determine if it is a wild phish.  We use specific criteria to distinguish spam from phishing.  In general, spam is attempting to sell goods or services, where phishing employs fraudulent techniques to take something from you or trick you into doing something. 
• Q: Can I submit wild phish from accounts that I manage, e.g., sustainable.dartmouth@dartmouth.edu? I have only seen one bona-fide phishing attempt in my inbox which is routed via my DH outlook email account. I am guessing that the DH team is blocking much of these attempts?
• A: We appreciate that you forward such emails to phishing@dartmouth.edu.  However, these are not scored as part of the Phishing Tournament.
• Q: Do you send out the same number of emails to everyone in the competition on the same day?
  A: Yes, every registered contestant gets the same number of stocked phish. We can't control the wild phish.
• Q: Does using hints in quizzes count against your score?
  A: No, you will get one point per completed quiz regardless.
• Q: How is the fastest phish calculated?
• A: The time is calculated from when you get the email in your inbox, to when you forward it to phishing@dartmouth.edu