What is phishing?
Phishing is when attackers attempt to trick users into doing 'the wrong thing', such as clicking a bad link that will download malware, or direct them to a dodgy website.
Phishing emails are getting cleverer, more realistic and more frequent. Spam and email filters do some of the work but will never be fully effective, so it’s up to each of us to read the context of messages and look for anything suspicious.
There are useful tips below to help you spot a Phishing or fake email, but three key items to look out for are:
Using tight deadlines to create a sense of urgency that distracts you from the rest of the message and pressures you into acting quickly.
Using the authority of the sender, such as by pretending to be a senior executive, trusted colleague or reliable company, to convince you that the message comes from a trustworthy source.
Exploiting 'normal' business communications, processes and daily habits to trick you into reacting to a message. Check who the email is addressed to, if it's 'friend' or 'valued customer', then this might be because the sender doesn't know you.
All staff and student Microsoft 365 accounts are continually monitored for suspicious activity. If an account is suspected of being compromised it is immediately disabled and the IT Service Desk will contact the owner of the account.
Examples
Here are some examples of what a phishing email might look like:
A very common phishing email is where a threat actor will state that they have access to your devices or Network and have been able to record you doing something inappropriate.
This type of blackmail will generally request a relatively small amount of bitcoin, which a user is more likely to pay, if they believe the email is legitimate. See the example below;
"From: John Doe <[email protected]>
Sent: 15 September 2022 10:53
To: John Doe <[email protected]>
Subject: BAD NEWS
I will be direct You watch adult content often, and I caught you masturbating. We all do it from time to time. How I did this Your router was vulnerable. I was able to inject some code into the firmware, and every device connected on the network, including phones, was compromised. Then I set every device available to record with the camera only when you watch adult content. I also got your contact lists, phone numbers, emails, social media contacts, and here is the deal. If you don`t pay me $1790 USD worth in Bicoin, I will send your masturbation video, search history, and all your private chat to all your contacts and all social media
Bitcoin Address: 1Ge14LLbxxxxxxxxxxxxx
AMOUNT: 0.087 BTC || approximately ||
Copy the address perfectly, with no mistakes"
As you can see by the above email, the malicious actor has been able to spoof the senders address, to make it appear that it was sent from their own account to make it appear legitimate. These scams are made to appear even more credible because they provide seemingly plausible technical details about how this was achieved.
The threat actor hopes to emotionally trigger people so that they will ‘take the bait’ and pay the ransom.
This type of phish is where a threat actor will pretend to be the IT support team by either spoofing the name or showing a generic support name and advise that your account password has or is due to expire soon.
The email will contain a legitimate looking password reset button or image that can be clicked anywhere but will take you to a fake site, designed to harvest your credentials by mimicking the website. See the example below:
You can see from this example that the email address has been spoofed, the link goes to a suspicious looking URL and the threat actor used a sense of urgency to try and get the user to click on the link by advising that the password had been set to expire on a set date.
This video contains more information on phishing:
Should you identify any suspicious emails or targeting phishing, you can report it to the University via the Report Phishing link that is found in Outlook.
Key points
Remember to:
- Look at the email address, not just the senders name. Make sure it is a valid company address (Microsoft will never send you an email asking you to log in, from a colleague’s/teacher's email address.)
- Look again at the email/web address. Some false addresses look very like the real ones.
- Look for grammatical mistakes, not just spelling mistakes. When crafting phishing messages, scammers will often use a spellchecker or translation machine, which provide all the right words but not necessarily in the right context or order.
- Hover your mouse over any links, to check they go to a valid address/destination.
- Look out for a sense of urgency. If the email is rushing you into doing something, (even if from your boss or teacher), before you respond, contact the sender using a different method, to check it is from them.
- Follow your instincts, if it feels dodgy, it probably is!