Check It Before You Click It - Phishing, Malicious Links & Spoofed Headers
Table of Contents:
LSU Security Awareness
LSU E-mail Overview
The word "Phishing" is a variant of the word "fishing." It generally comes from an analogy of spammers sending many emails (casting a wide fishing net) in hopes of catching a user (the fish). Though many users don't fall victim to the scams, it only takes a few to make be successful.
What is the point of phishing?
"Phishers" typically attempt to steal information from you. This information includes (but isn't limited to) PAWS ID and password, email login information, banking information, and more. Attackers can use this information for different reasons including gaining privileged access to LSU's network, sending malicious spam from your email account, stealing sensitive personal information, etc. Your financial/banking information could be used steal your identity, pilfer funds from your account, send money out of the country, and more.
Most phishing scams can be avoided by sticking to these basic principles:
1. Treat ALL LINKS as if they are suspicious. (Links include Web Addresses & URLs)
2. Log in with your LSU PAWS ID at official lsu.edu sites ONLY & pages such as my.lsu.edu and tigerware.lsu.edu.
3. Never provide your password or other sensitive information in an email message.
- You are responsible for your LSU PAWS ID. DO NOT share your PAWS password with ANYONE for ANY REASON.
- Email is NOT a secure way to send out personal information. ALL e-mail messages can be intercepted when it is sent & email messages are NOT encrypted or protected by default.
- If an attacker gains access to your email account, ALL of the sensitive information stored there will be accessible to the attacker.
4. Be suspicious of messages such as these:
- You are urged to take "Immediate Action", there is a sense of urgency, or you are threatened that your account will be shut down.
- Claim that your email inbox is Full or near it's quota and needs to be upgraded.
- Claim that you must login to enable security features or other services.
What do you mean by "treat all links as suspicious"?
Many emails are sent like a Web site with HTML code behind the scenes. This is done in order to include Web links, display images, and provide other special formatting. However, web links can be deceiving. (Example: The following text link - not-a-lsu-site.com - opens the official LSU web site.)
Phishing Messages often do the reverse tactic of masking a malicious site through what looks like an official LSU page. This can trick users into believing they are visiting a legitimate site. For this reason you shouldn't automatically trust what you see in email messages. Text links that appear as one link but lead to another should be treated as highly suspicious.
How do I check where the links actually go?
If you are using a desktop or laptop with a mouse, you may easily 'hover' the mouse cursor over the link. Depending on your operating system and email client, where the actual destination of link is displayed can vary. Below are examples of the same phishing message in several email clients:
Outlook 2010 for Windows: True link destination displays where the mouse hovers & at the bottom of the screen.
Thunderbird 17.0.7: True link destination displays at the bottom of the application window ONLY.
OS X Mac Mail: True link destination displays where the mouse hovers & at the bottom of the application window.
Apple iOS Mobile Devices: True link destination displays when you tap & hold down your finger on the link. (Apple iPhones & iPads DO NOT have a cursor for you to hover over the link with.)
See Demonstration Video:
There is a belief that if an email says it is from an account, like firstname.lastname@example.org, then it must actually be from email@example.com. The unfortunate reality is that the "From:" field can be easily faked to appear as any account or person. This is commonly referred to as "spoofing".
In the phishing examples above, the message says it is from LSU, however It also provides an email address of firstname.lastname@example.org. While that email address could be an instant indicator that LSU DID NOT send the message, keep in mind that even the email address can be spoofed to show email@example.com or firstname.lastname@example.org.
If you are not sure about an email message's legitimacy:
Send an e-mail to the email@example.com. Include the following information:
LSU IT Security is willing to investigate any potential scam messages on your behalf. You may do so by sending the original message (with full headers) to firstname.lastname@example.org. Please note LSU ITS has very limited control over what messages are caught and flagged as spam.
There are numerous kinds of phishing attempts and other scams targeting users, many of which LSU cannot take any action on. However here are a few cases where we recommend you contact email@example.com:
- You have a phishing message that contains malicious links.
- You clicked on a link or responded with personal information to a potential email scam and need help determining what to do.
- You have a scam message you believe came from another LSU user.
As long as you do not click on any malicious links or respond to the email with personal information, you as well as your computer should not be at risk.
As always, if you have any concerns or comments please feel free to email the LSU IT Security & Policy Office with any of your questions via firstname.lastname@example.org.
7/11/2013 3:01:35 PM