Category Archives: Email

Accessibility Features in Outlook

This article describes assistive technology features that you can turn on when using Outlook to make reading and writing email easier. For guidelines on how to create e-mails that are accessible to others, see Creating Accessible Emails in Outlook.

Outlook is part of Office 365/Microsoft 365, which all current students and employees can access online through a web browser and install on personal devices. The desktop version is installed on all college-owned computers.


Contents


Use Keyboard Shortcuts

You can use key combinations to navigate in Outlook and perform common menu operations such as opening, creating, replying to, forwarding and sending messages; creating meetings and tasks; switching between the Calendar, Mail and Tasks windows, and moving messages to folders. Keyboard shortcuts can be easier than using a mouse or trackpad for individuals with mobility or vision disabilities. Learning keyboard shortcuts for common tasks can help all user work more efficiently.

See Microsoft’s Keyboard shortcuts in Outlook for the most up-to-date information on shortcuts available in Outlook online (Office365) and the Outlook for Windows, Mac and iOS.


Dark Mode (Office 365 Only)

  1. Open Outlook in your browser and log in.
  2. Click Settings
  3. Toggle Dark Mode on.
  4. While Dark Mode is on you can use the Sun(View with light background) Moon (view with dark background) icons in the tool bar beneath a message to see only text for that message in a light background.

See Dark Mode in Outlook for details.


Read E-Mail in Immersive Reader

With both the web version and Outlook desktop apps you can read email in Microsoft’s Immersive Reader to take advantage of accessibility features such as font and spacing adjustments, line focus, and color overlays.

In the desktop version (recommended):

  • Open the Immersive Reader within the Reading Pane by clicking View > Immersive Reader.
  • Any email you highlight in your mailbox will now open in Immersive Reader.

In the web/Microsoft 365 version of Outlook:

  • You can only open one email at a time in Immersive Reader.
  • With the Mail tab open, click (ellipsis) in the top menu bar, and choose Show in immersive reader.
  • Click the arrow in the top left to return to your mailbox.

See Open Immersive Reader for Outlook for instructions on using its features.

 


Listen to Your E-Mail

The Read Aloud feature of Immersive Reader can also read email messages to you using text-to-speech. See Listen to Your Outlook Email Messages with Read Aloud.


Text Prediction (Office 365 only)

Outlook can speed or ease typing by predicting the next word or phrase as you type — press Tab or the right arrow to accept it’s suggestions, keep typing to ignore them. See Editor text predictions for more information, including how disable or re-enable this feature on and off.


Request Accessible Content (Office 365)

Turn this setting on at your account level to show other Bryn Mawr Outlook users a notice that “A recipient has requested accessible content” when they send email to you or copy you on an email. Depending the email composer’s settings, this may also turn on accessibility checking for that message, alerting them to issues like a lack of alternative text or problematic font settings..

  1. Log in to your Bryn Mawr webmail.
  2. Click (Settings) in the top left corner.
  3. Start typing “accessible content” in the search bar of the settings pane, then choose that option when it pops up.
  4. Check the Ask users to send accessible content box
  5. Close the settings window.

Support for Screen Reader Users

See Microsoft’s Screen Reader Support for Outlook provides detailed, device-specific information on how to navigate, perform tasks, and read content in Outlook when using a screen reader.

Encrypting Emails in Office365

This article reviews how to encrypt emails in Office365.

Looking to encrypt an external drive?
Check out our Encrypting External Storage Drives tech doc.

 

When & Why

Encryption is required if you must send emails containing financial or personal information (i.e. credit card or Social Security numbers).

Why encrypt?

Encryption ensures that, if the email or account is compromised, that the data contained is inaccessible to any unauthorized users.

 

How to…

Encrypt an email (Click me!)

Include the text [ENCRYPT] in the email subject line like so:

illustration of how to use the subject line to encrypt a message

Encrypted emails can be sent to both College and external email addresses.

If you try to send an unencrypted email containing what appears to be sensitive information, you may see a warning message.

View an encrypted email (Click me!)

Follow the instructions in the email you received:

illustration highlighting in-message instructions for opening an encrypted email

  • Have a Bryn Mawr account? click Sign In
  • Don’t have a Bryn Mawr account? Click Use a one-time passcode

illustration highlighting Sign-in and One time passcode options

Replies to encrypted emails will be automatically encrypted.

 

Questions?

If you have any additional questions or problems, don’t hesitate to reach out to the Help Desk!

Phone: 610-526-7440
Email: help@brynmawr.edu
Location: Canaday Library 1st Floor


Create Accessible E-Mails in Outlook

Following the guidelines below helps ensure that all recipients will be able to read e-mails you send. For information on features that can make it easier for you to read and write e-mail when using Outlook, please see Accessibility Features in Outlook.

  1. Add Alt Text to Images
  2. Add Meaningful Hyperlinks
  3. Use Accessible Font Formatting
  4. Avoid Animated GIFs
  5. Use the Accessibility Checker

For more detailed information, see Microsoft documentation for making email accessible.

Prefer video? See Microsoft video tutorials on creating accessible content in Outlook.


1. Add Alt Text to Images

Alt text (or alternative text) provides a concise description of an image for screen reader users. The alt text will also appear in place of an image when the image cannot be loaded or rendered properly.

On a Windows device and in Outlook online
  1. In an email draft, click an image in the message body.
  2. To display the formatting toolbar, click Show Formatting Options
  3. In the toolbar, click Add alternate text or image
  4. Type a description for the image and click OK
On a macOS computer
  1. In an email draft, click an image in the message body
  2. In the menu bar at the top of the screen click Format
  3. From the Format menu, click Edit Alt Text…
  4. Type a description for the image and close the Alt text menu.
On a mobile device
  1. In an email draft, double tap an image. This opens the context menu.
  2. Tap Alt Text
  3. Type a description for the image and press OK or SAVE.

 

3. Use Accessible Font Formatting

Color should not the only means of conveying information.
People who are colorblind may not be able to distinguish text in different colors. Add other formatting (such as bold or italics) when using color to call out or distinguish text instead of relying only on color.

There is sufficient contrast between text and background colors.
For greatest accessibility, use the default font color setting — Automatic, as this will work best when recipients are using high contrast or dark viewing modes to read email. If you do customize the color, check that the contrast between the text and the background meets Web Content Accessibility Guidelines (WCAG) 2.0.

Use sans serif fonts that are at least 11pt or larger.
Sans serif fonts and larger font sizes are easier for people with dyslexia or low vision to read.


 

4. Avoid Animated GIFs

Blinking or flashing content can trigger seizures for individuals with photosensitive seizure disorders. Animated GIFs can be accessible if the animation is no longer than five seconds and only plays once or if viewers manually start and stop it. They are most problematic when the animation loops continuously. If you cannot guarantee an animation won’t loop, it is safest to leave it out or replace it with a still image.


 

5. Use the Accessibility Checker

Microsoft’s Accessibility Checker can check your email drafts for certain issues that could cause access problems and suggest ways to fix them. See Microsoft’s Accessibility Checker documentation for details about what it does and doesn’t check, troubleshooting information, and advice on interpreting results and fixing issues.

Note: The Accessibility Checker is not available in Office apps for iOS or Android devices.

Check an email before sending it:

In Outlook online (Office 365)
  1. Click (More options) in menu bar above the email.
  2. Choose Check for accessibility issues.

  1. Results will appear in a Accessibility pane to the right of your draft. If issues are found, click Fix This to access the settings you need to fix them.
In Outlook for MacOS
  1. Click the Options ribbon, then Check Accessibility.

Screenshot of UI in Outlook to open Accessibility Checker

  1. Results will appear in a pane to the right of your draft. If issues are found, click Fix This for more information and to access the settings you need to fix them.
In Outlook for Windows
  1. Click Check Accessibility in the Message or Review ribbon.

  1. Results will appear in a pane to the right of your draft. If issues are found, click Fix This for more information and to access the settings you need to fix them.

(Windows only) Run Accessibility Checker while you write and display warnings as MailTips:

  1. Click File
  2. Select Options in the bottom of the right sidebar.
  3. Click Ease of Access

  1. Change the Accessibility checker options to:
    • Show me accessibility warnings while I work — the Accessibility Checker always runs
    • Show me accessibility options when — the Accessibility Checker runs only when the conditions you select are met.
Note: In Outlook for Mac, the Accessibility Checker always runs in the background if you are drafting an email to one or more recipients who prefers accessible content.

 

Email & Calendar: Mobile Devices


Before you start, you will need access to the following:

  • a College account
  • a smartphone or tablet with internet access
  • your Duo two-factor authentication device(s)
  • the Outlook app (iOS, Android)
LITS highly recommends using the Outlook Mobile app.

 

Connection Instructions

iOS & iPadOS

Android

 

Questions?

If you have any additional questions or problems, don’t hesitate to reach out to the Help Desk!

Phone: 610-526-7440
Email: help@brynmawr.edu
Location: Canaday Library 1st Floor


Graduating Students – Account Access

When a student graduates, access to a variety of College accounts and online services changes. Please be mindful of the following timelines when moving data and setting up post-graduation accounts.

Office 365: Email and OneDrive
  • Ninety (90) days after you graduate, you will lose access to your college Office 365, email and OneDrive account. If you’d like to save anything from Office 365, email, and OneDrive, you must do so before the end of this 90-day period. LITS cannot restore Office365 access or recover email or files for individuals who have lost access.
  • Bryn Mawr does provide an email forwarding service, which lets you forward e-mail received at your brynmawr.edu to another e-mail address. Please note:
    • You will not be able to set up alumnae/i e-mail forwarding more than 30 days before you graduate.
    • Once you set up this service, emails will begin forwarding within approximately 24 hours (even while you still have access to your Bryn Mawr email account).
  • Alums who are hired to work at the College (including the summer after graduation) will have alumnae forwarding disabled, as access to their full Bryn Mawr College email account will be re-enabled. Please remember to re-set up alumnae/i forwarding after your job at Bryn Mawr ends to ensure mail forwards from your Bryn Mawr College email address to the personal account of your choice.
  • Our agreement with Microsoft does not allow us to offer Microsoft Office to alums free of charge.
H: Drive
  • You will also lose access to your H: drive 90 days after graduation. Please move any files you wish to save. If you had access to other file shares for a campus job, access will end 90 days after graduation or earlier if your supervisor cancels your access.
Moodle
  • 90 days after graduation, you will no longer have access to Moodle or any of the files you have stored there. Please download and save any files you feel you may need in the future, as well as any personal work you may want to publish/showcase.
Domain of One’s Own
  • 90 days after graduation you will no longer be able to log in to manage your Domain of One’s Own website. See our Tech Doc for more information on migrating your domain.
Library Borrowing
  • Graduating students’ library accounts expire on the last day of finals week. In the Spring, graduating seniors who have returned all materials and paid all fines automatically get their accounts extended through the last day of Senior Week.
  • Alumnae/i borrowing is available
BIONIC

See the Server Accounts and Access policy for more information.

Departing Faculty and Staff

When a faculty or staff member leaves Bryn Mawr College, access to a variety of College accounts and services changes. Please be mindful of the account access timelines as described in the documentation when moving data because LITS is unable to perform email or file restores in Office 365.

BIONIC

BIONIC access will end on your final day at the College. If you are a faculty member who is teaching courses the semester of your departure, then your BiONiC access will end 30 days after your date of your departure to allow you to submit grades.

Office 365: Email and OneDrive

You will lose access to your College Office 365 account (which includes email, calendars, OneDrive, and downloaded copies of Microsoft Office) on your final day at the College. If you are a faculty member who is teaching courses in the semester of your departure, you will retain access to your Office 365 account for 30 days after your date of departure.

You may want to set up an automatic reply that provides instructions to people who email you after your departure. Please note: for the first 30 days after you lose access to your account, it will be disabled but not deleted. During this time, senders will not receive an automatic reply unless you set one up. Only after the account is deleted will the sender receive an automated message indicating that the address they are writing to cannot be found.

Please back up any information you may want to keep and transfer ownership of shared OneDrive files to someone in your group if the file is still needed. You can find instructions for backing up your email account and OneDrive here: http://techdocs.blogs.brynmawr.edu/5691

If you have downloaded Microsoft Office from your College Office 365 account to your personal computer, you will be able to keep that copy of Microsoft Office but will need personally renew your subscription of Office 365 to reactivate Microsoft Office.

Moodle

You will lose access to Moodle on your final day at the College. If you are a faculty member who is teaching courses in the semester of your departure, then you will retain access for 30 days after your departure. Once you lose access to Moodle, you will no longer have access any of the files you have stored there. Please download and save any files you feel you may need in the future.

Note: All changes to account access are automatic and based on your departure date. LITS is not able to manually reopen any College accounts.

Network Storage

You will loose access to your personal and departmental network storage (H: and S: drives) on your last day at the College. If you are a departing faculty member teaching courses in the semester of your departure, you will retain access to your network storage for 30 days after your final day. Please back up any information you may need. You can access
these drives from off campus by visiting http://ingress.brynmawr.edu/

Data

Personal data from your College computer and H: drive can be backed up to an external hard drive, a flash drive, or an online data storage service. Please speak with your technician regarding which method is best for you. Before you back up any personal data you wish to keep, discuss with your department to make sure they have any information
they’ll need from the account.

Note: Some data may be subject to legal & ethical restraints and may be a violation to take with you. This data can include student/class data and data related to College processes. If you are unsure what information is permissible to take with you as you depart, please consult with your department and Human Resources and see the Data Handling
Policy at http://www.brynmawr.edu/computing/policies/DataHandlingPolicy.htm

Library Borrowing

All library borrowing privileges end on your final day at the College. If you are also a graduate of Bryn Mawr College, you may request alumni borrowing privileges on the Library web site here: https://brynmawr.wufoo.com/forms/borrowing-privileges/ More information about Bryn Mawr College borrowing policies can be found here: http://www.brynmawr.edu/library/BorrowingPolicies.html

Domain of One’s Own

Domain of One’s Own access will end on your final day at the College. For information on migrating your data, please see http://techdocs.blogs.brynmawr.edu/7430

Voicemail

After your departure, your voicemail is emptied and all settings are reset. The phone extension is then assigned to another employee.

Building Access

OneCard door access ends on your final day at the College. You will still have access to any public buildings on campus, but will not be able to access secured spaces.

See the Server Accounts and Access policy for more information.

SCAMALOT! Part VI

Welcome to a special edition of SCAMALOT! In this post, we change course from our usual mission of providing tips and tricks for recognizing phishing attacks to learn how to assess automated emails you’ll encounter in your inbox.

At times, you will receive automated messages from Bryn Mawr College or Bi-College software, like the password reset web site. These messages may be less personalized and come from an address that does not belong to an individual (e.g. help@brynmawr.edu, accounts@haverford.edu), which may make them look suspicious at first glance.

While it’s much better to be overly cautious than too trusting when navigating your inbox, it’s good to know that not every message that contains suspicious elements or lacks certain information is a phishing email. This post will examine a legitimate email that may seem dubious to some — the password expiry notification email.

After reading this post, you’ll be better equipped to approach various types of automated emails with confidence!

Password Expiry Email

accounts@haverford.edu? What is this?

Sample question: “Not only is this email coming from a Haverford address, but it’s not even coming from a real person. Who is accounts@haverford.edu?!”

Bi-Co Password email header

This is a valid question! Bryn Mawr College and Haverford manage some account access jointly. Password expiry emails are sent from Haverford to both BMC and HC folks when their passwords will expire soon.

The email includes contact info for Bi-Co community members to utilize if they have questions regarding the legitimacy of the message.

PW Expiry contact info

Also, at the bottom of the email, you’ll notice that it is indeed signed by a HC staff member and a BMC staff member.

PW signature

The password expiry notification email is very good about providing ways to verify its authenticity; however, not all automated emails you receive from BMC or Bi-Co software will provide this information. The most effective way to determine if any message is legitimate is to contact the sender via a known, trusted [method]. If the email is not signed by an individual sender, utilize the Faculty/Staff directory to contact someone from within the relevant department: http://www.brynmawr.edu/find/facultystaff/. The Help Desk can also help verify the legitimacy of messages.

Important to remember: just because a message says it comes from a BMC, Haverford, or other familiar domain, doesn’t mean it’s legitimate!

Why is it directing me to a Haverford URL?

Sample question: “The email is telling me to go to a Haverford website to change my password. That seems very phishy to me.”

This is another valid point. Because both colleges use the same password management software across both campuses, there is only one web site for it, currently hosted by Haverford. The email mentions this:

PW Expiry 1

You’ll notice that if you visit the URL password.brynmawr.edu or accounts.haverford.edu, they lead to the exact same page: https://idm.haverford.edu/identity/self-service/bico/kiosk.jsf

password.brynmawr.edu and accounts.haverford.edu use what’s known as URL redirection, which allows organizations to use easy to remember web addresses, even if the full URL later changes with software changes.

Consider the purpose (and tone) of the message

Before taking any action, always stop to analyze the purpose and tone of the message. Consider what the message is trying to convey. Is the message purely informational, or is it urging you to log in to a website or open an attachment? If the message is informational and not asking for any action or input from you, it isn’t phishing!

Phishing messages will often create a sense of urgency to convince you to take action or face consequences (e.g. “Verify your account within 24 hours or your account will be deleted!”). Notice that the password expiry notification email does not contain threatening language, but rather advises the recipient to change their password at their earliest convenience.PW Expiry earliest convenience

Approach any message that asks you to open an attachment or click on a link with extreme caution. Criminals can easily spoof links to look real, but take you to a fake login page where they can steal your sensitive information. Get into the habit of typing known, trusted URLs into your browser rather than clicking on links within emails. Automated emails sent from College/Bi-Co software, such as the password expiry notification, will usually advise you to type in the URL of the password reset page.

Know your role!

Be aware of College policies and processes as they pertain to your role on campus. You should expect regular emails notifying you when your Bi-Co password is scheduled to expire. If you receive an email requesting that you change your College password and you’re suspicious, contact the Help Desk.

That’s it for this edition of SCAMALOT! Learn more about how to recognize scams by completing the College’s Information Security Education Program: http://lits.blogs.brynmawr.edu/7100

Contact the Help Desk with any questions (x7440, help@brynmawr.edu). Again, you are welcome to call if you’d like help determining the legitimacy of a message.

 

 

 

SCAMALOT! Part V

In this edition of SCAMALOT, we’ll take a closer look at an email that raises a number of common phishing flags. Scam emails aren’t always as easy to identify as you might think; it may have been a while since you’ve been asked to wire money to a foreign prince! The most dubious attacks have a very realistic tone and come from what looks like a legitimate person or organization (or as we’ll see below, from an actual Bryn Mawr College account). This means that stopping for just a moment to analyze the details of a message is imperative to protect yourself and the College from harm.

After reading this post, you’ll be better equipped to recognize phishing attacks and hopefully be persuaded to look at your emails just a bit more scrupulously in the future.

As with previous editions of SCAMALOT, this post won’t be a list of every way to determine if an email is legitimate, but it will help raise your awareness of common phishing tactics.

Don’t automatically trust an email from a known person/organization

As we covered in SCAMALOT Part IV, just because an email appears to come from someone at a trusted organization (such as the College), it does not automatically disqualify the chance that it could be a scam. The email address could have been spoofed (forged so the message appears to come from someone other than the actual source) or their account was compromised and is now sending phishing attacks. In this particular example, by clicking on Robin’s name in the email’s header, we see the account sending the phishing emails is indeed a Bryn Mawr College account. The account had been compromised by a previous phishing attack.

What’s ITS?

You might also have noticed that although the message is from Robin Banks, the greeting line (if you could call it that) reads “ITS Chief Technology Officer.”

A department called “ITS” does not exist at Bryn Mawr College. Library and Information Technology Services (or LITS) certainly does! That being said, lookout for phishing attacks claiming to come from LITS or LITS staff.

Also, by examining the email signature, we can see that the message is not signed by Robin or another individual. Beware of ambiguous signatures signed by a team or group. All communications from LITS will be signed by a LITS staff member; we encourage all community members to also sign their emails. This signature also contains a few other strange elements, including a copyright year and the subject line of the email (with gratuitous use of exclamation points!!! — another way scammers try to grab your attention).

Sniff Out Social Engineering Attacks

Cyber criminals are experts at creating appealing “bait” to convince folks to “bite” and provide the attackers with sensitive information. Learn to recognize the common elements of their traps:

Deadlines

“If not verified within 24 hours…”

Attackers know that when confronted with a deadline, people are more likely to take action. You may recognize this cheap tactic from TV advertisements: “Call within the next 2 minutes for free shipping!”

Consequences

“…you might not be able to receive new emails.”

“…your account will be blocked.”

Attackers know that the idea of not having access to email is a frightening thought. Phishing emails often present you with impending penalties such as being locked out of your accounts, not getting a package delivered, being fined by the IRS, etc.

Calls for Action

“Please click the link below and and verify your account.”

Note: Yes, the email does have this typo!

The attacker has instilled a sense of urgency with the deadline and consequence; now, they’ll provide a way to prevent the consequence. Don’t take the bait! It’s best practice not log into a service such as your email, bank, or social media accounts from links within emails. Navigate to the service from a known, trusted URL by typing it into your browser or using a bookmark. Have further questions about the validity of the message? Contact the person or organization from a known, trusted phone number. LITS can help with this, too.

You have a 50 Gigabyte mailbox

One of the most common types of phishing attacks contains the warning that you’ve exceeded your mailbox limit. This is highly unlikely. Each BMC community member has a 50 Gigabyte mailbox. A typical 80-word email is around 10 Kilobytes. This means you’d need about 5 million emails before you exceeded your mailbox’s limit. Visit LITS Tech Docs for more information on file size: http://techdocs.blogs.brynmawr.edu/5523

If you’re interested in checking your mailbox usage, follow these steps.

  1. Click on the Settings button (gear icon)

2. In the Settings menu, click on Mail

3. Under General, click on My Account

4. Your mailbox usage is listed towards the bottom of the screen

Links: Hover to Discover

It’s never wise to click on links in emails received from unknown people or organizations. Even if you do know the sender, it’s best practice to closely examine links in emails before you click on them.

It’s a bit odd that the message doesn’t describe where the link leads. It says, “CLICK HERE,” but where exactly is “here?” That being said, just because an email describes where the link supposedly goes does not mean you should proceed without caution. For example, a phishing message could contain this text: “Visit the BMC Webmail log in page to verify your account: webmail.brynmawr.edu

 

Hovering over the CLICK HERE text in our example email reveals the following destination:

aboutus.in/admin/notice/brynmawr/brynmawr/Sign In.html

Does the link look legitimate? aboutus.in is a website registered in India. The attackers added “brynmawr” and “Sign In” to make the link appear genuine.

That’s it for this edition of SCAMALOT! Learn more about how to recognize scams by completing the College’s Information Security Education Program: http://lits.blogs.brynmawr.edu/7100

Contact the Help Desk with any questions (x7440, help@brynmawr.edu). Please feel free to call if you’d like help determining the legitimacy of a message.

 

SCAMALOT! Part IV

Welcome back to SCAMALOT! In this spring 2017 edition, we continue to closely examine aspects of scam emails to help you identify similar attacks in the future. There is usually more than one way to determine if a message is legitimate or not, and by taking the time to look for phishy evidence in your Inbox, you’ll help yourself and the College stay safe from Information Security threats. In today’s adventure, we look at a classic case of a phishing email, with the attacker using a variety of elements to build enough trust for unsuspecting readers to fall victim. This post won’t be a list of every way to determine if an email is legitimate, but will help raise your awareness of common phishing tactics.

First Things First

If you haven’t yet completed the College’s Information Security Education program, all BMC community members are responsible for doing so. Learn how to recognize and respond to common information security threats. For more details, including instructions on how to access and complete the program, visit the LITS blog: http://lits.blogs.brynmawr.edu/7100

Take a minute to review the email below. Do you see anything scammy?

Be Email Defenders: Don’t Trust Unknown Senders

First and foremost, let’s figure out who Robyn Banks is. Clicking on their name in the Outlook Web App will open up a profile card, showing their email address.

OK, it looks like Robyn Banks is a BMC community member. However, even if the message appears to come from an individual or organization you trust, there is always a chance the address is spoofed (forged so the message appears to come from someone other than the actual source) or their account was compromised and is now sending phishing attacks.

What’s the best way to verify if the sender is who they say they are? Pick up the phone and call the individual at a known, trusted number.

Subject Lines

Cyber criminals will attempt to lure you in with an urgent call to action or other “important” notifications in subject lines. Take a moment to ask yourself, “Who is BMC Admin, and what important information would they need to tell me?”

LITS will always contact you directly via phone or email; you’ll never have to log in to another site to access a message from us (unless it’s a voicemail!).

Accurate Logo Doesn’t Mean Good to Go!

Don’t let a familiar logo fool you into letting your guard down. Cyber criminals can easily get their hands on images like the official College wordmark, which they can easily obtain via an internet search or on the College’s website

.

Dear User?

Scammers will send messages to a large number of people hoping a few will take their bait, and what better way to greet everyone than with a vague salutation like “Dear User”?

While a message that addresses you by name is not guaranteed to be legitimate, being addressed as “user” should be setting off your phishing detector.

The Danger Zone

Opening and reading an email is usually innocuous in and of itself. The real danger lies in the action the message asks you to take. In this case, the scammers want you to click on the button to “Sign In” and read the message from “BMC Web Admin.” In reality, clicking on this button will lead to a fake website (that may closely resemble one you’re familiar with). Logging in to this fake website will hand over your BMC credentials to the baddies.

Be cautious when clicking on any links in an email. It’s very simple for anyone to create a hyperlink that leads to somewhere different than what it seems. See for yourself; hover over this link to see the true destination: https://www.webmail.brynmawr.edu (it’s also safe to click on, but contains sound!).

Rather than clicking on links within emails to sign into services such as your email, your bank, or even social media tools such as Facebook or LinkedIn, type in the known URL into your browser.

Where does this button lead?

Hovering over the button reveals its true destination in the lower left hand corner of your browser window. The button in this message is particularly clever, with a different link depending on where your cursor is hovering:

URL 1

If we place our cursor over the left side of the button, it links to www-personal.umich.edu/~mkd/moodle.brynmawr.edu/login/.

URL 2

Moving the cursor to the right side reveals a link to myweb.nmu.edu/~chrbaker/passport.pitt.edu/idp/profile/SAML2/POST/SSO/execution/

Odd, right? Why would there be two URLs within one button? Cyber criminals will sometimes build this redundancy into their attacks in hopes that if one of the links is blocked or the fake site taken down, the other will continue to work.

Examining the URLs

Let’s take a look at the first URL again:

There’s a good chance that you’re familiar with the BMC Moodle URL, moodle.brynmawr.edu. However, what’s the deal with the front half of this one?

www-personal is the name of a server at the University of Michigan. Scam alert: It’s possible that the cyber criminals compromised an account at the U of M and were using it to host a fake website designed to look like BMC’s Moodle page. Sound downright devious? You bet!

Other Things:

An email without a signature is another key indicator of a phishing message, and this email isn’t signed by anyone. All communications from LITS will be signed by a LITS staff member; we encourage all community members to also sign their emails.

Lastly, while the text at the very bottom of the email might seem to lend the message credibility and add a comforting touch, Bryn Mawr College does not have a “School Help Center.”

Contact the Help Desk with any questions (x7440, help@brynmawr.edu). Please feel free to call if you’d like help determining the legitimacy of a message.