MSU Information Security Phishing Exercise

Body

If you have reached this page from an email link or immediately after entering your username and password, you just fell for a phishing attack! Don't worry, this was actually a training exercise conducted by the MSU Information Security team. We are conducting this exercise in order to promote awareness of email threats and provide training through a real-world example. Scammers and hackers are constantly targeting MSU students and employees via email in order to steal money or gain access to your accounts.

 

Please take a few moments to review the information in this article to get tips on how you can avoid this in the future.

 

Here is an example of what an actual phishing attack targeted at Murray State students and employees may look like. While this email may seem convincing at first glance, there are a few details that should create suspicion about its legitimacy.

After clicking any link, you should always pay attention to a site's address or URL before signing in. Just because a page "looks" like myGate, does not mean it is legitimate. A site may not be safe if the address bar in your browser is missing the "lock" icon, the word Secure, or "https" at the beginning of the address. The address should always begin with https://login.murraystate.edu when you attempt to login to myGate and Canvas. Your email login address should always begin with https://login.murraystate.edu.

Consider the two images below. One is the real login page for myGate. The other is fake and could be used by an attacker to steal your username and password after you enter them.


 

Attackers will also attempt to access your email by stealing your Google credentials.

The safest way you can navigate to a site is by manually typing the URL into your address bar. Try typing mygate.murraystate.edu or canvas.murraystate.edu into your address bar instead of just trusting a link. For email, you can type accounts.google.com or racermail.murraystate.edu. The login page for most MSU services is login.murraystate.edu.

If you are unsure if an email is legitimate, ask yourself these questions before replying or clicking on a link. Always keep in mind that University administrators and Information Systems personnel will never request your username or password by email. If an email claims to be from the University, Information Systems, or the murraystate.edu team and asks you to give out your private information, it is a scam.

Look at the Header

  1. Have I given my email address to this company before? Do I have an account with this company? Does the sender identity match the purpose of email? Email about your banking or university account should come from the organization, not from a random email address. If you have no relations to the sender, 99% of the time it is a phishing email.
  2. Is my email address listed as the From: address? If so, it is a fake email.
  3. Is the To: line address to undisclosed-recipients or a large number of recipients? A legitimate email from a business firm you have dealt with will usually be addressed only to you. If the text alludes to confidential information, but has several addresses on the To: line, it's definitely not legitimate.

Look at the Content

  1. Does the website link look valid? Make verifying web addresses a habit. Even though a link looks valid and displays the correct web address, it could take you someplace completely different. Don't ever click on a website link or an image without verifying that the link is legitimate--you could be redirected to an attacker's website. Rest (but do not click) the mouse pointer on the link to verify the real Web address. Watch out for Web addresses that resemble the name of a well-known company, but are slightly altered by adding, omitting, or transposing letters. For example, the address www.microsoft.com could appear instead as:
    • http://www.micosoft.com
    • http://www.mircosoft.com
    • http://www.verify-microsoft.com
  2. Are there misspelling and typos? How is the grammar and is the tone appropriate? An email from a professional company should be well written.
  3. Am I being promised a lot of money for little or no effort on my part? Watch out for emails with claims that make a promise that seems too good to be true. These are common phishing scams known as advanced fee fraud. Examples of these claims might be:
    • "You have won the lottery" (perhaps one from a foreign country) that you don't remember entering.
    • A foreign government official would like your assistance in transferring funds and will pay you a hefty commission if you agree.
    • You stand to inherit millions of dollars from a relative you don't remember.
  4. Am I asked to provide money up front for questionable activities, a processing fee, or to pay the cost of expediting the process? This is a common way for con artists to scam money from unsuspecting users. The con artist will run away after taking your initial payment.
  5. Is someone asking me for my bank account number, other personal financial information or passwords? Beware of emails asking for this information, even if the sender offers to deposit money into your account. Be suspicious of phrases like:
    • "Verify your account."
    • "Click the link below to gain access to your account."

Think about the Email's Purpose

Email is NOT a secure way to share sensitive information. Businesses should not ask you to send passwords, login names, Social Security Numbers, or other personal information through email. Be advised that Information Systems will never request your password.

  1. Is the issue really as urgent as the sender makes it out to be? Con artists try to convey a sense of urgency so that you'll respond immediately without thinking. Be suspicious of phrases like:
    • "If you don't respond within 48 hours, your account will be closed."
    • "Failure to do this may automatically render your account deactivated."
    • "Our investigation shows that your email address is compromised and is used to send out spam message in our webmail system. As a result, our network engineer will be conducting a maintenance in our webmail system, your Username will be disabled if you do not send us the required information within 48 hrs."
  2. Why does the sender request confidentiality? How can I tell if evidence that the proposed activity is legitimate and really authentic? Be suspicious about offers to send you photocopies of government certificates, banking information, or other evidence that their activity is legitimate. Photocopies are not acceptable for verifying authenticity of documents. These are often fake.

 

* If you ever receive a message in your MSU email account that you believe may be a phishing attempt or a scam, please forward it to abuse@murraystate.edu.

Details

Details

Article ID: 38698
Created
Wed 9/6/17 9:46 AM
Modified
Fri 1/19/24 11:37 AM