Account/Password Phishing information
What is a phishing message?
- Phishing, as typically performed within a university setting, is when malicious outside scammers send emails that attempt to acquire account passwords by pretending to be a campus IT administrator to lure unsuspecting Faculty, Staff, and Students into giving the information. The emails direct Faculty, Staff, and Students to reply to an email with their password or click a link that opens a website form asking for their password in order for the scammers to collect usernames and passwords which they can use to send spam to the Internet while authenticated as the user account from which they collected the password from in a successful phishing attempt.
- The messages can even appear to be from a bloomu.edu email address since From addresses can be spoofed or simulated. The one clear similarity is that they request that your information goes to a host outside of bloomu.edu either through the use of a Reply-To address (the address that replies are directed to, which are different than the From address when a Reply-To header is set) or an off-campus web server that collects the information. Keep in mind, while most phished passwords are only used to access your email account, the scammer actually has access to all university systems which you have access to and they can view or delete any files or information which you have access to. The spammer typically deletes the contents of your mailbox periodically while spamming, to make sure the mailbox doesn't go over quota which would stop the ability to send out more spam.
- The most typical phishing message sent to BU accounts are asking BU Faculty, Staff, or Students to confirm their email accounts by supplying their username and password and claim the email account will be terminated due to being inactive or over-quota and if you don't send the password within a short time period, your account will be terminated. DON'T FALL FOR IT! Look at the examples at the bottom of this page.
- When trying to determine if the email is authentic or not, remember one very important detail: Bloomsburg University will never send you email requesting you to provide your username, password, or any other personally identifying information.
- Things to look for to verify if the email is a phishing email:
- Spelling errors and bad grammar
- Odd formatting (e.g., incorrect use of capital letters, punctuation, or line returns)
- No real person's name included either in the greeting or the signature
- A return or reply-to email address that is spoofed. You can view "full headers" to see what is listed as the actual return address.
- If a password is being requested, you know the email is not legitimate. We will never request your password. Look at what else is being requested as well (e.g., requesting your country or territory should also throw up flags that it's not us requesting the information)
- No mention of a phone number to call or person to contact
- Deleting an account due to lack of response: we would never follow that kind of practice
- Includes a hyperlink that has an odd looking URL (for instance with a foreign country as the domain, or trying to match a legitimate web address but spelled differently)
- But beware - some phishing messages actually include valid From addresses such as firstname.lastname@example.org or email@example.com that are spoofed or simulated, include the words "Bloomsburg University", include Bloomsburg University's actual street address and phone number, have correct spelling and grammar, and list an actual persons name (typically it's a name of someone that does not work for the university) in the body of the email to make it seem more legitimate. They can even steal a BU logo and put it on the web form. Pay careful attention to web page addresses before ever typing in your password.
- The reason education of phishing is so important is because when a BU account is compromised and sends spam to the Internet, it can cause problems for all Bloomsburg University Faculty, Staff, and Students. As our mail server sends authenticated spam, our servers start showing up on spam lists and many mail servers on the internet blacklist our mail servers so the rest of the non-compromised email accounts can no longer get their Internet email delivered to its destination successfully and it is outside of our control other than re-securing compromised accounts and trying to convince each and every Internet server out there that we've cleaned up the situation and won't be spamming them anymore.
If you've received a phishing message...
- Do not reply to it.
- Do not click the URL.
- Do not ever provide your password.
- You can forward the message as an attachment to firstname.lastname@example.org so we can take action to help ensure other BU Faculty, Staff, and Students that received the same message do not get their account compromised. This can include blocking outgoing emails to the reply-to address or when possible removing the message from all inboxes.
If you've fallen for a phishing scam...
- First and foremost, change your password so the scammer no longer has access to your account.
- Expect angry replies and Non-Delivery Messages for a few days if your account was used to spam Internet email addresses. Some compromised accounts have sent out spam to tens of thousands of email addresses in a relatively short time period before the account has been re-secured.
- Finally, report the incident to email@example.com so we are aware the account is no longer compromised. When we discover a compromised account, usually the first thing we do is change the password to something else so the spammer can no longer use it. However, this also locks you out of the account as well, so to prevent that, please notify us you have control of your account once again.
How do I know what's phishing and what's legitimate?
- Phishing messages typically have a Reply-To address or web link to a host outside bloomu.edu, include an unfamiliar or blank TO address, include general statements like "Dear email account owner" or "EDU webmail user", threaten lost service if you don't act, often have poor spelling and grammar, include a sense of urgency by giving deadlines like 24 hours, 2 days, or 2 weeks, and request userids and passwords through email.
- Legitimate messages from the Bloomsburg University Office of Technology will NEVER ask you for your password. They typically just give updated information about technology and your user account. We may tell you to go to a website where you should enter your username and password to authenticate and access a university resource, but it's not simply a form where we are collecting the information to mark your account as active to keep an account around or give you more quota. Faculty/Staff get to keep their account while they are still employed and students get to keep their email account forever on Microsoft Live - without EVER having to supply a password in response to an email from us. We may ask you to click a link to log into a new technology system, such as the ISIS (Integrated Student Information System) system, but pay close attention to the web address. You will always notice URL links to websites which make you log in with your Bloomsburg University account in legitimate messages are always in the bloomu.edu domain. You can easily check this by looking just to the left of the first slash (/) after http://. This is where the domain in the URL is located. For instance, legitimate bloomu.edu URLs are http://www.bloomu.edu/technology/ and http://www.bloomu.edu/isis/logon and http://reset.bloomu.edu/. Be sure not to be tricked by URLs that do include bloomu.edu, but not at the domain level. For instance, http://www.bloomu.edu.9.cn/ and http://account.bloomu.edu1.com/ are not bloomu.edu URLs. Also be sure you aren't getting tricked into going to a different website than the link text specifies. If you mouse-over a link in an email, it will show you what address the link points to without having to click it. For instance, the following link actually goes to example.com, even though the link text looks like a bloomu site: http://www.bloomu.edu/.
To learn more about phishing in general...
- Please take a look at the phishing type examples and examples of actual phishing emails that have been sent to Bloomsburg University faculty, staff, and students in the next few sections of this page.
- Be aware that email phishing campaigns are also used to pull off more serious criminal acts such as stealing credentials for bank or credit card websites, bank account numbers or credit card numbers themselves, or stealing identity through identity theft.
- Take a look at the Phishing wikipedia page.
- There are several ways to hone your skills for recognizing phishing emails. Here are some quizzes we've found that are available online for phishing education:
- Anti-Phishing Phil Demo from Wombat Security Technologies: http://www.wombatsecurity.com/antiphishing_phil/index.html
- SonicWALL Phishing and Spam IQ Quiz: http://www.sonicwall.com/phishing/
Phishing Type #1 - They want you to reply with your password in an email
In the following example, there is a reply-to address set which will send replies to an address outside bloomu.edu where they are collecting passwords. It is difficult to know that a reply-to header is set at a glance because to see it you have to open the full headers to the message or if you click reply, notice the email address on the TO line to see where replies are directed to due to the Reply-To address. Click email to enlarge.
Phishing Type #2 - They want you to click on a link and enter your password in a web form
In the following two examples, there is a link to a web page outside bloomu.edu where they want you to enter your password. You will always notice URL links in these type of messages are not in the bloomu.edu domain. You can easily see this by checking just to the left of the first slash (/) after http://. This is where the domain in the URL is located. Be sure not to be tricked by URLs that do include bloomu.edu, but not at the domain level. For instance, http://www.bloomu.edu.9.cn/ and http://account.bloomu.edu1.com/ are not bloomu.edu URLs. Click emails to enlarge.
Here are examples of an off-campus web forms set up to collect passwords through a link in a phishing message. Pay special attention to the third one which copied our faculty/staff email login page, but notice it is being hosted on a website in Australia. Always check the web page address before entering your BU username and password on any web page. You can click individual forms to enlarge.