Caught Phishing Email

Earlier this year ITS caught an email, which attempted to steal someone's paycheck.

Tue, 19 Mar 2019 19:44:48 +0000
From: "Brennan O'Donnell," <ceosoffice@lycos.com>
To: ██████.█████████@manhattan.edu

Hi ██████ ,

Are you in the office?

I changed my bank and I'll like to change my paycheck dd details,
can the change be effective for the current pay date?.

Best Regards,
Brennan O'Donnell

Thankfully this was not delivered to anyone's inbox with the help of some tools Google offers.

But what if the email was delivered successfully? The phishers are hoping that no out of band communication will happen such as phoning the employee they are posing as. Also the phishers are hoping that manual and form-driven processes are bypassed to quickly get work done.

Do not be surprised if phishers start posing as family members asking for help. Phishers can surf the web and track your social media accounts to build a comprehensive graph of people you likely know. Talk to your loved ones about this type of scam. Be safe.

Whaling, SMiShing, and Vishing…Oh My!

Cybercriminals use types of social engineering—manipulating people into doing what they want—as the most common way to steal information and money. Social engineering is at the heart of all types of phishing attacks—those conducted via email, SMS, and phone calls. Technology makes these sorts of attacks easy and very low risk for the attacker. Make sure you're on the lookout for these variants on the traditional, mass emailed phishing attack.

• Spear phishing: This kind of attack involves often very well-crafted messages that come from what looks like a trusted VIP source, often in a hurry, targeting those who can conduct financial transactions on behalf of your organization (sometimes called "whaling").
• SMiShing: Literally, phishing attacks via SMS, these scams attempt to trick users into supplying content or clicking on links in SMS messages on their mobile devices. Flaws in how caller ID and phone number verification work make this an increasingly popular attack that is hard to stop.
• Vishing: Voice phishing, these are calls from attackers claiming to be government agencies such as the IRS, software vendors like Microsoft, or services offering to help with benefits or credit card rates. Attackers will often appear to be calling from a local number close to yours. As with SMiShing, flaws in how caller ID and phone number verification work make this a dangerous attack vector.

No matter the medium, follow these techniques to help prevent getting tricked by these social engineering attacks:

• Don't react to scare tactics: All of these attacks depend on scaring the recipient, such as with a lawsuit, that their computer is full of viruses, or that they might miss out on a chance at a great interest rate. Don't fall for it!
• Verify contacts independently: Financial transactions should always follow a defined set of procedures, which includes a way to verify legitimacy outside email or an inbound phone call. Legitimate companies and service providers will give you a real business address and a way for you to contact them back, which you can independently verify on a company website, support line, etc. Don't trust people who contact you out of the blue claiming to represent your company.
• Know the signs: Does the message/phone call start with a vague information, a generic company name like "card services," an urgent request, and/or an offer that seems impossibly good? Hang up or click that delete button!

For further information on how a phishing attack affected this undergraduate students view this video:

Information Security Awareness Training Video: "Phishing: E-Safe"


View this video for strategies on how to address illegal robocalls:

FCC Chairman provides some tips to help consumers confront illegal robocalls and maliciously spoofed calls.

Partially reposted from: Educause Campus Security Awareness Campaign 2019: April 2019: Whaling, SMiShing, and Vishing…Oh My!