Alerts Newsletter

Scam of the Month: Document Shared with You

The Office of Information Security has identified a trend in which criminals send members of our community a Google Document containing a malicious link, in hopes that a victim may give up their credentials. In this more elaborate scam, hackers posed as Adis Avila, who is not an individual who works at our university, sending a document containing ‘Athletic Directory Reports.’ Within this email, the name Anthony J. Azama is listed and while he does work at WashU, his title is not Athletic Director.  

Document shared with you: "ATHLETIC DIRECTORY REPORTS"

For your safety, the link here goes to a legitimate Google Document. In the scam, the Google Document contains an additional link to a malicious website. There are a few red flags in this scam email:  

  1. Adis Avila is not a WashU employee. The domain of Adis’ email is also not a WashU domain.  
  2. Anthony J. Azama is not an Athletic Director at WashU.  
  3. The email states that the document is being shared through ‘OneDrive,’ but it is actually coming from Google Docs.

This link takes the victim to a page where they are asked for their credentials, phone number, and a code from the Duo app. This is all information the hacker needs to take over the account.

Once the hacker gained access to an account, they were able to send additional phishing messages impersonating a WashU employee.  

These types of scams are extra tricky because they do come from a WashU domain and are not labeled as external. However, with this scam, the tell-tale signs associated with this message are spelling errors, formatting issues, and the request in general. Below, we dissect the email further to identify red flags.

  1. Generic ‘Hello’ greeting.  
  2. Mrs. Pretty is not a WashU faculty or staff member and the nature of this email and request is very odd.  
  3. Grammatical errors and random capitalization of words in the middle of the sentence.  
  4. The sender’s insistence on ‘no calls and only text messaging’. The hacker requests texts because it is easier to communicate and impersonate someone through text messaging.  
  5. The items are listed as ‘free’ but there is a large amount of money requested for shipping. The hacker is trying to seem generous, but the money they request for shipping will be stolen from the victim. 

If you receive an email that looks like either of the examples here, use the Phish Alert Button (PAB) in your Outlook interface. Even if the email appears to be from someone at WashU, be wary of unusual requests and offers. Usually, if it is too good to be true, it probably is.  

Avoid this and other scams by following our ten phishing safety tips and guidance below.   

10 Phishing Safety Tips  

  1. Don’t click. Instead of clicking on any link in a suspicious email, type in the URL or search wustl.edu for the relevant department or page. Even if a website and/or URL in an email looks real, criminals can mask its true destination.  
  1. Be skeptical of urgent requests. Phishing messages often make urgent requests or demands. When you detect a tone of urgency, slow down and verify the authenticity of the sender and the request by using official channels rather than the information provided by the sender.  
  1. Watch out for grammar, punctuation, and spelling mistakes. Phishing messages are often poorly written. Common hallmarks of phishing are incorrect spelling, improper punctuation, and poor grammar. If you receive an email with these problems, it may be a phishing attempt. Double-check the email address of the sender, dont follow any links, and verify the authenticity of the request using official channels.  
  1. Keep your information private. Never give out your passwords, credit card information, Social Security number, or other private information through email.  
  1. Pick up the phone. If you have any reason to think that a department or organization really needs to hear from you, call them to verify any request for personal or sensitive information. Emails that say “urgent!”, use pressure tactics, or prey on fear are especially suspect. Do an online search for a contact phone number or use the contact number published in the WUSTL directory.  
  1. Use secure websites and pay attention to security prompts. Always check if you are on a secure website before giving out private information. You can determine whether a website is secure by looking for the “https:” rather than just “http:” in the Web address bar or for the small lock icon in the Internet browser. If your browser cannot validate the authenticity of the websites security certificate, you will be prompted. This is frequently a telltale sign of fraud, and it would be a good time to pick up the phone or report a suspicious message.  
  1. Keep track of your data. Regularly log onto your online accounts and make sure that all your transactions are legitimate.  
  1. Reset any account passwords that may have been compromised.  
  1. Know what’s happening. Visit the Office of Information Security Alerts page often.  
  1. Report it. If you are a victim of an email scam, report it to our office by using the Phish Alert Button (PAB). When you report a phishing attack, we will investigate it and, if necessary, remove other instances of the attack from our systems. Reporting the attack will help protect others and our institution.  

Additional Resources  

Phishing | Office of Information Security | Washington University in St. Louis  
Phishing 101 | Office of Information Security | Washington University in St. Louis  

Protect Yourself from Social Engineering  

Protect Yourself from Social Engineering