You Took the Bait and Got Phished!

This email was a “test phish” sent by Carilion. If this had been an actual phishing email, your work or personal information could have been accessed and used to compromise our network or commit fraud.

What is Phishing?

Phishing is an attempt by a fraudulent actor to collect personal and/or financial information over email, phone or text message. These fraudulent actors typically acquire this information by asking people to enter personal information into fake websites posing as real ones.

Reporting a Suspected Phishing Email

If you receive an email that you think may be a phish, report it to our information security team by forwarding the email as an attachment to phishing@carilionclinic.org. Here’s how to do that:

In Microsoft Outlook, press Control-Alt-F to open a draft email message with the suspicious email as an attachment.

In Outlook Web Access, right-click on the email and choose “Forward as Attachment” to open a draft email message with the suspicious email as an attachment.

After you forward the email to phishing@carilionclinic.org, delete it.

Reporting the email can help keep the phish from spreading to others. We’ll investigate the email and may contact you if we need additional information.

Protect Sensitive Information

Keep in mind that Carilion Clinic and other legitimate sites will never ask you to send sensitive information such as your username, password, full social security number, bank account details or credit card information over email, phone or text message.

If you receive a suspicious email, don’t reply to the message, give out any personal or account information, click on any links, or open any attachments. If you believe that you have fallen victim to a phishing scam, please disconnect from the network immediately and report the incident to the Technology Service Center through Edison or by calling 540-224-1599 (71599).

Here are five steps to keeping yourself safe.

  1. Beware of poor spelling or grammar. Many phishing attacks originate outside the U.S. from people whose first language isn’t English. Legitimate organizations pay attention to  details like grammar and spelling. If the email contains these errors, it’s probably a scam.
  2. Never respond to requests for information. Reputable organizations will never ask you to send passwords, credit card numbers or other personally identifiable information by email. Never.
  3. Check the email address. There are two parts to the “From” part of an email: the user name (or alias) and the email address. The alias can be anything the sender wants it to be, but it’s harder to disguise an email address. Phishers always change the alias to look legitimate, like “PayPal Customer Service.” But if the email address in that example isn’t PayPal.com, the message is a fake. Always check before clicking.
  4. Don’t click unless you’re sure. Phishers often try to get people to click on a fake log-in or payment page. The page looks real, but it’s a false front intended to capture information. Before you click a link, hover your mouse pointer over it first. The address will show up at the bottom of your browser or email client screen. If it looks suspicious, don’t click.
  5. Check the banner. Phishers will try to get you to click by making their email look like it is from someone within Carilion. However, Carilion Clinic identifies external email by using a yellow banner.

Questions?

If you have questions about this test phish, contact Organizational Integrity and Compliance at 540-510-4600 (54600).

Antiphishing Resources: