Here is the script for an upcoming training on Phishing.

As an educational professional, you may have thousands of student records passing through your control every year. Often, you are the only thing standing in between your families’ private lives and anonymous profiteers looking to steal and sell their information.

Phishing is any method of tricking someone to perform an action or disclose privileged information. Emails are the most common vehicle. Phishing techniques are always evolving, so you can’t rely on old guides or even this guide forever. But after this video you should have the right tools to ask the right questions at the right times to defend the privacy rights of your families.

First, how can you spot a phishing scam? I’m going to take you through 3 stages of recognizing phishing scams: First, be aware. Then, be suspicious. Then, confirm your suspicions.

When you check your email, you should always be aware. Be careful about responding to messages when you’re tired, stressed, or sick. According to a Washington State University study, missing sleep can impair decision making. Also, be extra careful when using your phone to reply to emails. Verizon discovered that people are far more susceptible to phishing attacks when answering from a phone because they tend to read and respond more quickly.

When should you become suspicious? Here are five signs to watch for. Each one by itself isn’t cause for alarm, but in combination they should set off alarm bells.

1. The email is “out of the blue,” it’s a new topic or something that you weren’t expecting to receive.
2. The email asks you for something, it might be a favor or information, a reply, or it might look like a business invoice.
3. The email has a link or a button that you’re expected to click.
4. The email has a file attachment.
5. The email does not have any personal content that verifies the sender. So for example, here’s an email from Etta Avlia, one of our hearing itinerant teachers. I know it’s her, because she writes about things that only she or one of our staff would be familiar with.

As a general rule, if you see two or more of these items combined, you should be suspicious. The email could be fine, or it could be phishing.

If you are suspicious, never ever download an attachment from an unfamiliar email, and never click on a link or a button in an email. Get independent confirmation from a trusted source first.

How can we confirm that an email is legit or a scam?

Here are two ways:

1. Independently confirm with somebody else.
2. Check for deceptive addresses in the Sender and the Body of the email.
The easiest way to remove doubt is just to ask the person if they sent you the email. Don’t click the reply button. Write a new message, text or call the sender. This doesn’t require any technical know-how and it’s always better than falling for a scam. But sometimes you have to do your own detective work.

Next, you need to spot fake addresses. To do that you need to know a about domain names. Email addresses have them, and web addresses have them. Criminals love to create domains and addresses that look kind of like the real thing, but they’re not.

In an email address, the domain is the part after the “at” sign. In a Web address, find the first slash after the double-slashes at the beginning. Then go backwards two dots. That part between that dot and the slash is the domain. For example, in https://www.google.com/, the domain is google.com. Sometimes you’ll see stuff appear before the domain, like news.google.com or mail.google.com, and that’s OK. But you should never see anything between the domain name and the first slash, like https://www.google.com.shenzen.cn/. That’s not Google!

Domain names are cheap, and criminals can easily create web and email addresses that look legit if you don’t know about domain names. For example, if you get an email from theboss@casedupage.prettyfly.com, don’t trust it! It doesn’t come from the real casedupage.com.

Now that you know about domains, look for trickery in two places.

First, the sender address. If it’s address you don’t recognize, be suspicious. Criminals like to disguise email addresses in a few different ways. They might put some words before the @ sign to throw you off. Or maybe they created a domain that looks like it might be from Microsoft, but now you won’t be fooled. There’s also a technique called spoofing, where an email shows a completely different email address than the real sender. However, spoofed emails are rare in our office because our email system block them automatically. Hackers can still spoof the sender to look like your own email address though, so if you get an email says “I hacked your email and I’m logged in as you to send this,” you can relax a little bit because it’s probably just spoofed. There is also always the possibility that the email address is real, but somebody’s email account was hacked and it is being used to send you scam emails. So you can’t depend on the sender address alone.
Second, look for links or buttons in the body of the email.

Hover your mouse cursor–DO NOT CLICK–just hover your mouse cursor over the link, and at the bottom of your browser window you will see the Web address where the link is sending you. Does it look different than the text of the address in the email? Does it look strange and unfamiliar? Are there signs that a domain is being faked? If you answered yes to any of these, it’s definitely a scam.

If you have received a phishing email, the procedure is simple:
1. Do not click any links, or download any files.
2. Forward the message to your IT staff.
3. Block and report the phishing scam to your email provider.
a. In Outlook, click the “Junk” button in the top menu, and select “Phishing”.
b. In Gmail, next to the “Reply” button, click the 3 dots, and select “Report phishing”.

If you clicked on a link or downloaded an attachment by mistake, even if you didn’t enter your email and password, report it immediately to your IT staff. We will need to reset your account password and run a malware scan on your computer, just in case.