Phishing and social engineering are terms used to describe how cyber criminals trick people into clicking on malicious links, opening email attachments, and sending your data to them. How do they do it though? Read on through the information below to find out how to identify a scam and what countermeasures we can take as a community.
March 2018: Dropbox Phishing
Recently, the IT Division was notified about a phishing attempt which looks like someone sent you an email with Dropbox attachments. After navigating to the website, you are prompted to sign in with your username and password. After you type your username and password, the cyber criminals then use your username and password to send out more phishing and spam messages.
If you click on a suspicious link and type in your username and password, please navigate to https://services.bridgew.edu/passwordreset/ and reset your password.
How can I tell if an email is spam or phishing?
Incorrect Use of Punctuation and Grammatical Errors
Look for bad punctuation in phishing and spam messages. Oftentimes, the message will appear to be a little odd with strange, or oftentimes bizarre, word choices. This is a result of a cyber criminal translating the message from a different language into the English language. You can try this yourself by translating a paragraph from English to another language and then back to English. The sentence "The quick brown fox jumped over the lazy dogs" can become "The fast fox jumps over lazy dogs".
Urgent Call to Action and Threatening Language
Cyber criminals want you to make a mistake after you open up their email. They want you to hastily click on a link or reply with sensitive information. An example of this is when cyber criminals send an email saying that your "mailbox is over its size limit" and to respond with your username and password to avoid having your email shut off. We have also seen similar scams that use both an urgent call to action and threatening language with the IRS scams that usually occur between January and April every year. A lot of times, these IRS scams start as a phone call threatening penalties, jail time, and fees unless you immediately wire money to them or give them your credit card.
Anything That Makes You Feel Uncomfortable
Sometimes cyber criminals will send you an intentionally incendiary email. There could be many reasons why someone would send an email like this; to gain your attention and trust, monitor whether you respond, or just to make you upset in an attempt to get you to click on a hyperlink in another email. Sometimes malware can be obfuscated in word documents, and if you are reading an upsetting email then you may not be thinking that the goal of the sender is to get you to open a word document.
Offers That are Too Good to be True
Although we have all heard this phrase, it still rings true with cyber criminals. The rule for any presentation is to know your audience, and cyber criminals know their audience. The IT Security Office has seen creative phishing and spam campaigns targetting faculty, staff, and students. Sometimes all three groups will receive the same phishing/spam message. However, cyber criminals also learn from their mistakes and have learned that some targetted emails can work very well.
Capitalizes on Current Events
Spam and phishing that use current events are particularly effective. Cyber criminals will prey on your desire to help other people by sending you fake donation pages. Sometimes the goal is to obtain your credit card number, but other times it's to actually just take money. Make sure you do your research before donating to an organization online.