SCAMALOT! Part V

Posted May 2nd, 2017 at 1:37 pm.

In this edition of SCAMALOT, we’ll take a closer look at an email that raises a number of common phishing flags. Scam emails aren’t always as easy to identify as you might think; it may have been a while since you’ve been asked to wire money to a foreign prince! The most dubious attacks have a very realistic tone and come from what looks like a legitimate person or organization (or as we’ll see below, from an actual Bryn Mawr College account). This means that stopping for just a moment to analyze the details of a message is imperative to protect yourself and the College from harm.

After reading this post, you’ll be better equipped to recognize phishing attacks and hopefully be persuaded to look at your emails just a bit more scrupulously in the future.

As with previous editions of SCAMALOT, this post won’t be a list of every way to determine if an email is legitimate, but it will help raise your awareness of common phishing tactics.

Don’t automatically trust an email from a known person/organization

As we covered in SCAMALOT Part IV, just because an email appears to come from someone at a trusted organization (such as the College), it does not automatically disqualify the chance that it could be a scam. The email address could have been spoofed (forged so the message appears to come from someone other than the actual source) or their account was compromised and is now sending phishing attacks. In this particular example, by clicking on Robin’s name in the email’s header, we see the account sending the phishing emails is indeed a Bryn Mawr College account. The account had been compromised by a previous phishing attack.

What’s ITS?

You might also have noticed that although the message is from Robin Banks, the greeting line (if you could call it that) reads “ITS Chief Technology Officer.”

A department called “ITS” does not exist at Bryn Mawr College. Library and Information Technology Services (or LITS) certainly does! That being said, lookout for phishing attacks claiming to come from LITS or LITS staff.

Also, by examining the email signature, we can see that the message is not signed by Robin or another individual. Beware of ambiguous signatures signed by a team or group. All communications from LITS will be signed by a LITS staff member; we encourage all community members to also sign their emails. This signature also contains a few other strange elements, including a copyright year and the subject line of the email (with gratuitous use of exclamation points!!! — another way scammers try to grab your attention).

Sniff Out Social Engineering Attacks

Cyber criminals are experts at creating appealing “bait” to convince folks to “bite” and provide the attackers with sensitive information. Learn to recognize the common elements of their traps:

Deadlines

“If not verified within 24 hours…”

Attackers know that when confronted with a deadline, people are more likely to take action. You may recognize this cheap tactic from TV advertisements: “Call within the next 2 minutes for free shipping!”

Consequences

“…you might not be able to receive new emails.”

“…your account will be blocked.”

Attackers know that the idea of not having access to email is a frightening thought. Phishing emails often present you with impending penalties such as being locked out of your accounts, not getting a package delivered, being fined by the IRS, etc.

Calls for Action

“Please click the link below and and verify your account.”

Note: Yes, the email does have this typo!

The attacker has instilled a sense of urgency with the deadline and consequence; now, they’ll provide a way to prevent the consequence. Don’t take the bait! It’s best practice not log into a service such as your email, bank, or social media accounts from links within emails. Navigate to the service from a known, trusted URL by typing it into your browser or using a bookmark. Have further questions about the validity of the message? Contact the person or organization from a known, trusted phone number. LITS can help with this, too.

You have a 50 Gigabyte mailbox

One of the most common types of phishing attacks contains the warning that you’ve exceeded your mailbox limit. This is highly unlikely. Each BMC community member has a 50 Gigabyte mailbox. A typical 80-word email is around 10 Kilobytes. This means you’d need about 5 million emails before you exceeded your mailbox’s limit. Visit LITS Tech Docs for more information on file size: http://techdocs.blogs.brynmawr.edu/5523

If you’re interested in checking your mailbox usage, follow these steps.

  1. Click on the Settings button (gear icon)

2. In the Settings menu, click on Mail

3. Under General, click on My Account

4. Your mailbox usage is listed towards the bottom of the screen

Links: Hover to Discover

It’s never wise to click on links in emails received from unknown people or organizations. Even if you do know the sender, it’s best practice to closely examine links in emails before you click on them.

It’s a bit odd that the message doesn’t describe where the link leads. It says, “CLICK HERE,” but where exactly is “here?” That being said, just because an email describes where the link supposedly goes does not mean you should proceed without caution. For example, a phishing message could contain this text: “Visit the BMC Webmail log in page to verify your account: webmail.brynmawr.edu

 

Hovering over the CLICK HERE text in our example email reveals the following destination:

aboutus.in/admin/notice/brynmawr/brynmawr/Sign In.html

Does the link look legitimate? aboutus.in is a website registered in India. The attackers added “brynmawr” and “Sign In” to make the link appear genuine.

That’s it for this edition of SCAMALOT! Learn more about how to recognize scams by completing the College’s Information Security Education Program: http://lits.blogs.brynmawr.edu/7100

Contact the Help Desk with any questions (x7440, help@brynmawr.edu). Please feel free to call if you’d like help determining the legitimacy of a message.

 

Filed under: Email,Information Security,Office 365 Online Tags: by Andrew Mantuano

Comments are closed.