It's Tax Season — Avoid the "Phish!"

Details

Category: Alerts

Published on Friday, March 18, 2022 11:29 AM

Written by Adrian Cepero

Dear Staff,

In an effort to further enhance our district's cyber defenses, we want to highlight a common cyber-attack that everyone should be aware of – phishing.

"Phishing" is the most common type of cyber attack that affects organizations like ours. Phishing attacks can take many forms, but they all share a common goal – getting you to share sensitive information such as login credentials, credit card information, or bank account details by pretending to be an individual or organization you may know or trust.

Although we maintain controls to help protect our networks and computers from cyber threats, we rely on you to be our first line of defense.

We’ve outlined a few different types of phishing attacks to watch out for:

• Phishing: In this type of attack, hackers impersonate a real company to obtain your login credentials. You may receive an email asking you to verify your account details with a link that takes you to an imposter login screen that delivers your information directly to the attackers. These generally lack personal information since they are sent to a large number of people at once, have a sense of urgency and contain typos and grammatical errors.
• Spear Phishing: Spear phishing is a more sophisticated phishing attack that includes customized information that makes the attacker seem like a legitimate source. They may use your name and phone number and refer to Hackensack Public Schools in the email to trick you into thinking they have a connection to you, making you more likely to click a link or attachment that they provide.
• Whaling: Whaling is a popular ploy aimed at getting you to transfer money or send sensitive information to an attacker via email by impersonating a real district administrator. Using a fake domain that appears similar to ours, they look like normal emails from a high-level official of the district, typically the Superintendent, Business Administrator or Principal, and ask you for sensitive information (including usernames and passwords) or to transfer money/purchase gift cards.
• Shared Document Phishing: You may receive an email that appears to come from file-sharing sites like Dropbox or Google Drive alerting you that a document has been shared with you. The link provided in these emails will take you to a fake login page that mimics the real login page and will steal your account credentials.  

What You Can Do

To avoid these phishing schemes, please observe the following email best practices:

• Do not click on links or attachments from senders that you do not recognize. Be especially wary of .zip or other compressed or executable file types (these are removed automatically in our email system).
• Do not provide sensitive personal information (like usernames and passwords) over email.
• Watch for email senders that use suspicious or misleading domain names (some may even originate from free email accounts such as Gmail or Yahoo).
• Inspect URLs carefully to make sure they’re legitimate and not imposter sites.(The most important pieces of a domain name are the last 2 portions. For example, an attacker may create a domain name such as netflix.[some random domain].com to try to make a domain seem legitimate. The red flag is [some random domain].com. Any legitimate email will usually originate from the company's primary domain.  In this case, netflix.com.  Anything before the last two portions of the domain are meaningless and easy to spoof.)
• Do not try to open any shared document that you were not expecting to receive. Reach out to the sender via another method to confirm the authenticity of the shared document.
• If you can’t tell if an email is legitimate or not, please report it using our PhishER (fish hook icon) tool in Gmail or by email to This email address is being protected from spambots. You need JavaScript enabled to view it..
• Be especially cautious when opening attachments or clicking links if you receive an email containing a warning banner indicating that it originated from an external source.

Thanks again for helping to keep our network, and our people, safe from these cyber threats.

Please let us know if you have any questions.

Regards,

Department of Technology