Alerts Newsletter

Catch a Phish to Protect Yourself and WashU

By

Phishing is the most common tactic cybercriminals use to steal login credentials, data, and intellectual property. Billions of these messages are sent every day, but it’s now easier than ever to protect yourself and WashU by helping the Office of Information Security (OIS) catch the phish and remove it from our system. The Phish Alert Button (PAB), now available to everyone in Outlook, allows users to report a suspected phish with the simple click of a button. When you click the PAB, the OIS will investigate the message, notify you of its authenticity (or lack thereof), and take steps to protect the rest of the WashU community if its determined to be malicious. Don’t worry about reporting a message that turns out to be authentic—the phish detection experts on our team will evaluate the message and if it’s not a threat, they’ll notify you and return the message to your inbox.

The button varies in appearance according to the Outlook version but generally looks like an open letter with an orange fishhook. Simply report the phish by clicking the button, and the OIS will take care of the rest. For more information about catching phish using the PAB, please visit the Phish Alert Button page on the OIS website.

With the cooperation of our community, the OIS recently caught and gutted a dangerous phish circulating at WashU. This was a particularly tricky phish because it presented itself as a simple and brief request to lure in its victims, mimicking an important notification to trick recipients into handing over sensitive login information. It contained many hallmarks of a typical phish, but it tried to evade your skepticism using a “less-is-more” strategy.

If you receive an email requesting sensitive or personal information, always approach it with a heavy dose of skepticism. In this case, the message is about “Payroll.” Because it involves such a sensitive system that is frequently targeted by attackers, it’s a good idea to have a known and trusted strategy to check the claim’s authenticity. Instead of clicking any links in an email like this, the recipient should report it to the OIS for further investigation and check on their payroll information using one.wustl.edu, rather than engaging with the phish.

Below, we dissect this phish to illustrate how to tell that it’s rotten.

Example of Important Payroll Message Phish
  1. Using a ‘@wustl.edu’ email address in the scam pictured above highlights the common tactic of spoofing a domain in a sender email or using a compromised account to send messages that phish other users within the institution.
  2. The message conveys a tone of urgency and concerns a key department or service. This particular department has clear connections to financial gains for the attacker.
  3. The recipient is encouraged to follow a link in an email, and that link does not go to the place it claims to go. Hovering over this link reveals it actually goes to a malicious site outside of the wustl.edu domain.
  4. The email contains a non-standard signature.

10 Phishing Safety Tips

  1. Don’t click. Instead of clicking on any link in a suspicious email, type in the URL, or do a search on wustl.edu for the relevant department or page. Even if a website and/or URL in an email looks real, criminals can mask its true destination.
  2. Be skeptical of urgent requests. Phishing messages often make urgent requests or demands. When you detect a tone of urgency, slow down and verify the authenticity of the sender and the request by using official channels, rather than the information provided by the sender.
  3. Watch out for grammar, punctuation, and spelling mistakes. Phishing messages are often poorly written. Common hallmarks of phishing are incorrect spelling, improper punctuation, and poor grammar. If you receive an email with these problems, it may be a phishing attempt. Double-check the email address of the sender, don’t follow any links and verify the authenticity of the request using official channels.
  4. Keep your information private. Never give out your passwords, credit card information, Social Security number, or other private information through email.
  5. Pick up the phone. If you have any reason to think that a department or organization really needs to hear from you, call them to verify any request for personal or sensitive information. Emails that say “urgent!”, use pressure tactics or prey on fear are especially suspect. Do an online search for a contact phone number or use the contact number published in the WUSTL directory.
  6. Use secure websites and pay attention to security prompts. Always check if you are on a secure website before giving out private information. You can determine whether a website is secure by looking for the “https:” rather than just “http:” in the Web address bar or for the small lock icon in the Internet browser. If your browser cannot validate the authenticity of the website’s security certificate, you will be prompted. This is frequently a telltale sign of fraud, and it would be a good time to pick up the phone or report a suspicious message.
  7. Keep track of your data. Regularly log onto your online accounts and make sure that all your transactions are legitimate.
  8. Reset any account passwords that may have been compromised.
  9. Know what’s happening. Visit the Office of Information Security Alerts page often and follow us on Twitter to get the latest WashU Information Security Alerts.
  10. Report it. If you are a victim of an email scam, report it to our office by using the Phish Alert Button (PAB). When you report a phishing attack, we will investigate it and if necessary, remove other instances of the attack from our systems. Reporting the attack will help protect others and our institution.

Additional Resources

Phishing | Office of Information Security | Washington University in St. Louis
Phishing 101 | Office of Information Security | Washington University in St. Louis

Protect Yourself from Social Engineering

Protect Yourself from Social Engineering