Craftier phishing attacks are making waves in the new year. Phishers recently cast their lines in a sea of NC State employees and reeled in several in an attempt to obtain gift cards.
In the scam, phishers sent email purportedly from a university administrator or colleague requesting gift cards for other staff members. Several people replied, but no one lost money or purchased gift cards.
The January attack is a prime example of the more sophisticated techniques phishers employ — the exploitation of real-world identities and connections. Phishers behind the email were able to deceive employees by creating an email address that mimicked an actual campus email address: unityID.firstname.lastname@example.org.
The phishing email read: “Hi are you around? I need some help.”
When the employee responded, the employee received the following reply: “I am in a meeting and cannot use the phone. Can you buy me 2 $100.00 Apple gift cards for people in this meeting?”
In spear phishing attempts like this one, phishers not only pose as as a boss or colleague, but they also understand what is important to targeted audiences, like job openings, citizenship status, and student loan payments, and use these as ways of gaining sensitive information — often in a quick time frame. These sophisticated strategies are targeted and designed to get more responses than past tactics — and unfortunately, they are effective.
Knowing the ways phishers craft and target their messages is key in protecting yourself and the university, so be prepared.
- Know your senders
Phishing emails can look like they come from trusted sources. Before clicking on links or opening attachments, ensure you recognize the sender’s email address. When in doubt, don’t click on links or open attachments.
- Beware of phishy emails
Phishing emails may be vague or sound “funny” and can contain multiple spelling or grammar errors. If you receive such an email that appears to come from a person you know, contact the sender by phone for verification. Do not reply to the sender by email, as you may be communicating with someone who has hacked the sender’s account.
- Don’t forward phishing information to others, especially the active bad links
You may want to warn your friends, co-workers or end users of a phishing attack by forwarding them a phishing email. With some attacks, you can get your account phished or device compromised just by clicking on the email link that directs you to a fraudulent website or form.
- Instead, send a summary of the phishing email text and subject line
You can mention the links or take a screenshot of the original email, but do not include the real one. Never forward a “loaded” phishing email, and tell others not to do so.
- Don’t share sensitive data
No matter how “official” an email appears, legitimate companies and organizations will never ask for personal information, such as passwords and account numbers via email. Such phishing emails often contain urgent messages, requesting that you provide sensitive data to avoid an action being taken against you.
- Recognize phishing in all its forms
Phishing attacks aren’t limited to just email. They may also come in the form of instant messages or text messages (aka smishing) or even phone calls (aka vishing). Follow the same precautions you would for email when receiving links, attachments or requests for personal information by any of these methods.
- Ensure your antivirus software scans for malware
Viruses are only one type of malware, so confirm that your antivirus is also protecting your devices against other malware, such as worms, spyware, nagware, trojans, adware, and a host of malicious codes.
- Keep up with phishing trends and tactics
Pay attention to articles and alerts concerning current phishing scams, especially during certain times of the year, such as the tax season. See IRS Tax Scams / Consumer Alerts.
- Monitor and report suspicious activity
- When possible, view university emails using Gmail mobile and web clients. Potentially phishy messages will often be flagged in Gmail with a warning. Also, check your Gmail account activity to spot any unusual or unauthorized actions.
- In your Google email, select Report phishing from the drop-down menu in the upper right corner of your message. See Avoid and report phishing emails.
- You can also send new phishing emails to email@example.com. Make sure you include the full email headers.
- Turn on two-factor authentication to protect the data in your Google Apps @ NC State account and your personal email address. To view a list of applications that support 2-Step Verification, see Two Factor Auth (2FA).
- Store sensitive university data in the appropriate storage location.
See Storage Locations for University Data.
As always, contact the NC State Help Desk at firstname.lastname@example.org or 919.515.4357 (HELP) with any concerns or questions about suspicious emails, before you click on any links.
For additional information on phishing and computer safety tips, refer to the following resources: