Recognizing Phishing Emails

Phishing messages are scams to trick you into doing something. Usually they are email, but we see increasing use of text messages, online message platforms, social media, job websites, and even voice. They want you to respond, click a link, log into something, or open an attachment. Increasingly, the initial message seems harmless and is the start of a conversation to get your guard down.

Contents

Impersonation Phishing:

Often, phishing messages will appear to come from someone you know, including the college president, another leader, or a member of the faculty or staff. They may ask for information or a favor, announce a job opportunity, or offer to give something away. Check the sender's email address and not just the displayed name! Gmail and other free email services do not verify the identities of account holders, so criminals often attach the names of real people to Gmail accounts they use for attacks.

If you get a message from Gmail or another non ithaca.edu address that purports to be from someone at IC, and you think it might actually be them, forward it to their IC email address and ask them. And, please use your Ithaca College email account and encourage everyone else to. It will help keep you and others from being tricked.

Red Flags

Phishing attacks are common because they work. People get tricked, and criminals make money. By understanding why phishing works, you can better protect yourself and your information. Attackers use a few common ploys to trick you:

  • Urgency: They want you to act before you think. They need a quick favor, you need to act now before your account is disabled, or your computer has a security problem...
  • Impersonation: They use a name you know: someone from IC, your bank, the IRS, or elsewhere, and you don't consider it might be phishing because it's from someone you know.
  • Respond some other way: Criminals do not like the Ithaca College email system because of protections we have in place. They want you to reply to them via text or from a personal Gmail account. They want you to reply to some third account.
  • A great opportunity: They offer a part-time job making great money remotely, or an internship, or they are giving something away. If it's too good to be true, it probably is.
  • Quarantine: If a message is in your email quarantine, it's probably there for a reason. Be very suspicious. More information is here: Article - Beware Quarantined Email (ithaca.edu)

Spearphishing

It used to be the exception, but many phishing messages are now customized for each victim or group of victims. They commonly impersonate people at IC when phishing IC students, faculty, and staff. Some phishing attacks are very specific to the individual target, and they may involve a series of messages in an ongoing conversation to get your guard down before they ask you to do anything. Verify that the person you're emailing is who they say they are.

Safer Practices

  • Always look at the sender's email address on every message you read.
  • Only click links or open email attachments if the message is from a known email address and you expected it or verified it's legit.
  • Links don't always go where they say. Check where they go by hovering over them and checking the URL.
    • IC uses outlook.com's Safe Links  feature to check web sites for malware as you click, so links can be a little confusing. The original URL is the one after the "?url=" below.
      • https://nam01.safelinks.protection.outlook.com/?url=http://www.ithaca.edu.
  • To verify an email is legitimate, contact the sender some other way and not by responding to the email. For example, if you receive an email from your bank, call them at the number on their website to verify the message.
  • If you get a message from a company asking you to click a link or log in, do a web search for the company's site and log in directly instead of using the emailed link.

Real-Life Examples

Below you will find two examples of phishing messages sent to the Ithaca College community. Follow along with the numbered boxes for an explanation on specific red flags that can help you spot a phishing email in the future. 

Example 1: Outlook Desktop App

A phishing email. The sender of the email is not @ithaca.edu. The message body does not match the style of official IC communications. Hovering the mouse pointer over the link shows that it does not go to an ithaca.edu website.

  1. The display name field of an email is often the best place to start. This field can be easily manipulated to falsify the actual sender. Here we see the display name is  "ADMIN@ithaca" and the sender address is "help@parkvantage.com". There are two red flags here. First, the email is coming from the parkvantage.com email system. Announcements to the campus will come from an address ending with "@ithaca.edu" and will not be flagged as coming from outside of the Ithaca College mailing system. Secondly, the display name "ADMIN@ithaca" is suspicious given that it appears in all caps and is completely different than the actual sender address in an attempt to deceive the receiver. 
  2. The message body is often the most difficult section to spot a red flag. Common red flags in a message body are: spelling and grammar errors, a false sense of urgency, and information that could contradict your general knowledge about the college.  Here the author does not have very many spelling or grammatical mistakes, but the look and feel of the message is attempting to incite urgent action through claiming the user can no longer receive emails until they act, as well as flagging the email as important to stick out in the users mailbox.
  3. Scrutinizing links can be the best way to spot a phishing message. The key step is to not actually click a link, but to hover your mouse's pointer over the blue text. This will typically display a long string of characters called a safelink, but the actual website the link is pointing to can be found in the underlined "url=" portion of the link. If a link does not point to an ithaca.edu website, it may be malicious. Here we can see the link does not lead to an Ithaca or Microsoft website like the email suggests, but an unrelated and malicious site.
     

Example 2: Outlook Desktop App

This example is one of the more difficult messages to spot as a phishing messaging, but by checking the display name, analyzing the body for contextual clues, and pausing to think about the format, you will be able to see it is a phishing email.

  1. The display name here is "Ithaca|Security Tech Support" with the email address "hisano@pg-a.co.jp". Once again, the sender manipulated the from: field to make it appear as if this message was sent from an Ithaca tech support email account. If you are ever unsure if a message actually came from a user or department on campus, take the time to call them and confirm that they actually sent the message. Here the minor clue is that the email address "hisano@pg-a.co.jp" is extremely odd, given that it contrasts from the display name and is a non-Ithaca affiliated domain, 'pg-a.co.jp".
  2. There are a few suspicious clues within the contents of this email. The first being that this supposedly came from Microsoft but it some typos and unrealistic wording. This can be seen by an extra period at the end of the body, the use of the words "dear User ," (emails from Ithaca or Microsoft almost never use vague wording to address users, it should explicitly be your name, email address, or other identifying factor), and the awkward wording of "we encourage you to take the time now to keep the same password". Microsoft and Ithaca emails would never encourage reusing the same password or use overly polite, passive language as seen here. Lastly, at the bottom of the email, it attempts to discourage and scare users from reporting or forwarding the message to IT to avoid being caught and flagged as a phish. Any attempts to deter users from sending the email for review should instantly raise red flags.
  3. This email includes a QR code. Containing a QR code is not necessarily malicious, but it should raise questions. Questions like: 
    1. Is there a link you can hover over and inspect instead? Most legitimate emails will include a clickable link to the same site as the QR for security and convenience.
    2. Does it make sense for a QR code to be included? Phishing messages often include QR codes even when it is not logical to, hoping that users will not realize it links to a different site than they claim and so it can be accessed on a personal device with less protection, such as a smart phone.

Exercise extreme caution when scanning QR codes, always inspect a link instead if possible, and never scan QR codes from senders you do not recognize.

 

Example 3: Outlook Desktop App

This phish could be harder to spot because it tries to come off as more personable and someone within IC's community. Phishers know that preying off of familiarity works because it makes users feel safer from scams, and more likely to do what they ask. Below are some ways to still detect that this email was a phish.

  1. Once again,  there are suspicious indicators within the sender address and name. The sender email address is  trying to mimic the typical IC email naming convention but it can be noted that it is "sdrake.ithaca@contoso.com" instead of "sdrake@ithaca.edu". Additionally, the sender address does not match the signature address at the end of the body and if you pay very close attention, you may notice that the signature address is not a valid IC address and "Stephen Drake' is not a real IC professor. 
  2. The golden rule in spotting scams and phishing is, if it sounds too good to be true, it likely is and this is a clear example of that rule in action. Here the sender is claiming they are willing to give away sets of very expensive equipment to a complete stranger are even willing to help arrange a moving company to do so. Although giving away unused equipment is not inherently odd, the lack of connection to the people involved in this email and the price of what they are giving away makes it sound a bit too good to be plausible. 
  3. The most glaring red flag within this email is that the allegedly IC faculty member instructs the reader to reach out to an email external from the IC mailing system. In addition to this, they include that readers should do so with their personal email. This is a purposeful tactic by phisher; responding to phishing emails with a personal address instead of your IC address circumvents the safety and anti-phishing features put into place in our mailing system to protect IC accounts. If an email ever instructs you to respond with a personal address, you should assess whether that makes sense in the context-- otherwise it is likely doing so to leave you much more vulnerable to attacks.
100% helpful - 2 reviews

Details

Article ID: 77
Created
Wed 8/2/17 1:27 PM
Modified
Thu 4/11/24 10:27 AM