A new phishing email is showing up in MRU Inboxes and Spam folders. It looks like this:
The first question you should ask is why would you receive an email about unread messages? However, if the panic over missing out on 2 messages throws common sense out the window, a glance at the sender’s email address should alert you. If you miss that clue and click on the REVIEW NOW link in a desperate attempt to avoid missing out, it takes you to this web page:
If you have gotten to this point, there is a good chance you will think that MRU has a secret email service outside of Gmail that you weren’t aware of. As a result, you will have no issues with entering your Mount Royal login credentials to access the mysterious messages. That is exactly what the hackers are hoping you will do. Once you do, Bob is your uncle, and they have control of your Gmail.
Let me assure you that the only email messages you will every receive from Mount Royal University will come through and be received via Gmail. You will never have to login to another email service to receive messages.
If this or a similar emails show up in your Inbox or Spam folder, delete them. If you ever have questions about the legitimacy of an email that you have received from us, please forward the email to firstname.lastname@example.org and we will be happy to investigate for you.
At Mount Royal University, we now have lots of diligent users reporting phishing emails to email@example.com. The IT security team is over the moon with the wonderful responses we are getting. However, we are getting quite a few that people find in their Spam folder. So I thought I would take a moment to explain how your Spam folder works and what to do with the emails that find their way there.
First off, for those who have no idea what I am talking about, your Spam folder is found in Gmail. Email that Google thinks is malicious or spam is sent there. Often its links and/or attachments are disabled or removed. Google determines if an email is malicious or spam using a variety of criteria. Examples of this criteria include containing known malware or phishing links.
Occasionally newsletters you subscribe to or emails from vendors can end up in the Spam folder by accident. That is why the emails aren’t deleted outright. You have the opportunity to scan through the folder and check and make sure nothing that you actually want to receive has made its way there.
As the Spam folder can fill up pretty quickly with hundreds of emails, I usually recommend that once a week you take a quick scan through your spam and then delete its contents. This prevents you from getting overwhelmed with an overloaded folder.
If you find a phishing email in your Spam folder, Google already knows about it and doesn’t need to be notified. However if you find one that is especially concerning and think the Mount Royal Community should be warned, please forward it to firstname.lastname@example.org. When you do, let us know that it came from your Spam folder so we know who needs to be notified.
For more information about the Spam folder, how to mark or unmark messages as spam and other spam related questions, check out Gmail Help.
The Mount Royal impersonators are continuing their gift card scam. However, they have figured out that we have a new president and they have changed tactics accordingly. The latest phishing emails appear to come from Dr. Tim Rahilly.
This causes concern for two reasons. First, they are obviously monitoring our website for information to put into phishing emails. Second, as Dr. Rahilly has not yet officially begun his term there may be some confusion about his email.
To clarify things, he has had an official Mount Royal email address for quite some time. If you receive an email that appears to come from him, please check the email address to ensure it is correct. If you are unsure, please forward it to email@example.com and we will check it for you.
Once again miscreants are trying to catch our employees off guard by hitting them with a phishing email that appears to come from a fellow Mount Royal employee. Fortunately for us, our employee identified the odd email address and stopped the attack cold.
The clever criminals added some distracting details to try and trip up their intended victim. They added a Re: to the subject line plus a fake time and date stamp to make it look like the email was a reply to a previously read email. They know we tend to trust email replies and they bet that the odd email address wouldn’t be noticed. They were wrong.
Our superhero employee saved the day by forwarding this bad boy to us instead of clicking on the nasty link. Keep a look out for this one.
If it shows up in your inbox, be a superhero and forward it to firstname.lastname@example.org.
Another day, another clever criminal trying to break into our network. This time they tried using the Google Drive to do it. Tuesday morning several employees found this in their inbox.
The Word Doc link is totally legit. If you click the link, it takes you to this document.
Clicking the link in the Word document takes you to a legitimate website that has been compromised. The site asks you to login to Office 360 to access the document. Of course if you do, you are giving some miscreant your Office 360 login credentials. They can then sell your credentials on the dark web or use them themselves to wreak havoc on your data as well as the data of others. Fun, Fun, Fun.
Because the Google Drive file share and the website are legitimate, they won’t be flagged by anti-virus or the firewall. It is actually very clever. However although it may get by the technology, a person can easily spot this as malicious. In fact, we had two different reports sent to email@example.com about this one. Way to go MRU!!
For those of you who aren’t already yelling at the screen, “Come on, that is so obvious”, I am going to walk you through the red flags. First one is the email is sent by Benjamin Kuiper from the email address firstname.lastname@example.org. Clearly not a Mount Royal email and he is not listed in the directory. Fail number one.
Second, the doc says it was being shared by Benjamin and David Hyttenrauch. This doc was sent to people on David’s team so even though they didn’t know who Ben was, they sure as heck knew who David was. This got the desired attention. However, you can’t send an invite to share one file from two people. Clearly, this Word doc was shared by Benjamin and the sneaky dude entered the rest of the deceiving information into the Add a note field in the Share with others dialog box to make it looks like Dave was involved. Fail number two.
Third, when you open the document it tells you that you have a file waiting for you on the OneDrive. OneDrive file shares are not sent with links in Word documents. Fail number three.
Lastly, if you were to hover over the link in the Word document you would see that it does not go to OneDrive. Fail number four.
As clever as criminals are, most of them can be stopped by alert employees who take the time to look at emails with links and attachments critically. As we have seen in this example, the majority of the time phishing emails contain clear clues that something is not right. Don’t get caught up in the emotion of the moment. Like our wonderful employees, take the time to really look and make sure that the email is what it appears to be. Your data, your colleagues and your IT department will thank you.
Just don’t. Okay, I admit I am being rather unreasonable. However if you have any other alternative to printing tax receipts, pay stubs, benefits statements and the like, please use it. We are human beings after all and we get distracted. On a regular basis our techs pick up abandoned print jobs with sensitive information that should not be on public display. Here is the latest one.
With the tax season in full swing, we are seeing a lot of these types of documents left abandoned by their owners. If you do not have any other means of printing sensitive documents other than using public printers, please take the following precautions:
- Check twice to ensure you are sending the print job to the correct printer.
- Be standing by the printer as the document is being printed.
- If the document does not print, assume you have sent it to the wrong printer and immediately look for it. Do not attempt to print the document again until you are 100% sure it has not been sent to another printer.
Taking these simple inconvenient steps will help prevent miscreants from using your student number, SIN or other personal information for their gain and your misfortune. It will also keep how much you earn from being the latest water cooler gossip.
Phishing emails that appear to come from Mount Royal University supervisors are making their appearance again. This time they are throwing in the whole, “I am going into a meeting with limited phone calls, so just reply to my email” nonsense to try and keep you from calling the person directly to verify the legitimacy of the email.
Thankfully they are still using lame sender email addresses, so they are pretty easy to spot if you take the time to look. However, they have started to use a new tactic that is concerning. They some how have gotten a hold of cell phone numbers and are now texting Mount Royal employees asking them to contact the texter immediately as they have a task for them. The messages appear to come from the employee’s supervisor.
How do you protect yourself from social engineering via text message?
- Don’t click on links in text messages
- Be suspicious of requests that are outside of regular procedures or processes
- Don’t give out information that the person you are talking to should already have
A good rule of thumb is, if it doesn’t feel right it probably isn’t. If you get a strange request from your supervisor, politely let them know you will get right back to them and hang up. Then contact them using an email or phone number that you know is legitimate.
Once again Mount Royal inboxes are receiving emails from scammers impersonating Mount Royal employees. The email appears to come from a colleague and asks if the recipient is available. If the recipient responds, the scammer then asks for gift cards.
These emails are easy to identify as the email address is not a Mount Royal email address. Thing is, people are in such a rush these days they don’t bother checking it. They see the name of their colleague and respond.
While responding to the scammer is not necessarily risky, it does encourage them. They now know that you don’t check email addresses. Next time they may be a bit more clever and include a malicious link or attachment.
When reading any email, the first place your eyes should go is to the email address. If it doesn’t match the sender’s name, delete the sucker immediately. You don’t even have to read it. It is easy, it saves you time and it will make your IT department very very happy.
The latest phishing attack to hit inboxes on campus is absolutely diabolical. It looks 100% legitimate and contains legitimate looking links. In addition, the technique the clever criminals are using by-passes our protective measures preventing us from keeping it out of inboxes. If we block it, we block all MailChimp emails.
Lets take a closer look at this bad boy.
Pretty impressive isn’t it? What is even more impressive is hovering over the links displays Mandrill.com which is MailChimps legitimate tool for tracking clicks, dealing with payments and account settings etc. However, if you click the link you get sent to:
While us14-mailchimp kinda looks legit, it is the wrong URL for MailChimp. However, the page looks like a MailChimp login page. We didn’t follow along further to see what happens after you enter your username and password. However, we are pretty sure the next page would be asking for credit card information. The crooks are pretty darn smart. If you login and then get wise and not enter your credit card information, they still get access to your MailChimp account which they can use to send out more phishing emails to other unsuspecting users. It’s brilliantly done.
As smart as the hackers are, Mount Royal employees are smarter. This email was forwarded to email@example.com by one of our own. That’s right, one of our own employees tagged this bit of nastiness. I couldn’t be prouder! They didn’t recall having a paid MailChimp account and recognized that the sent email address was off.
So how do you protect yourself from an attack this well executed? Do what your colleague did, don’t click the links in the email. If you have a MailChimp account, login to it directly using a bookmark or search result. If there is a problem with your account, the information will be available there. If everything turns out to be in order, you know the email is a phish. Forward it in it’s entirety to firstname.lastname@example.org and your work as a cyber security superhero is done!
The MRU impersonators are at it again. Apparently they didn’t get bites just pretending to be a supervisor so they have upped their game. Their third attempt uses an email that appears to come from Dr. Docherty himself.
As with the other attempts, if you respond to this email you are asked to purchase gift cards. This is just another reminder to check the sender’s email address when you find yourself responding emotionally to an email.