ITS Security Alert 9.26: Impersonation Email Attack
ITS has become aware of an impersonation email attack that is currently targeting LMU and Loyola Law School inboxes. Specifically, these emails LOOK like they are coming from individuals you know, and more significantly sometimes from someone who is your supervisor or someone in leadership.
The attacks are sophisticated and because the emails are personalized, the emails sometimes bypass our security monitoring before they get to your inbox. Please be aware of the following:
- The email will be addressed specifically to you.
- The email may ask if you are busy and if you have a moment to help the person.
- If you reply, the responder will make up a story about not being able to get to a phone but they need your help with an urgent transaction.
- Normally, these hackers are not looking for passwords, but rather for confidential information, social security numbers or money transfers. The hacker will ask you to do something that may actually appear to be legit.
Steps to take if you receive a message like this:
- Check the email address - if it is NOT a legit @LMU.edu or @LLS.edu - please send a copy of the email to email@example.com and then immediately delete.
- If any part of the message seems odd, do NOT respond at all.
- Verify the sender by sending a note to the REAL person, using a new email and adding their name into the email.
Always be vigilant in clicking on email attachments or embedded links even from people you may know.
ITS will never ask you for your password. If you are ever in doubt about the validity of an email, please contact the ITS Help Desk.
A Phishing Primer
Phishing attacks share many characteristics. Here are the typical steps involved in launching phishing attacks via email or telephone.
Anatomy of an Email Phishing Attack
- An email arrives in your inbox.
- The email pretends to be from a legitimate organization, business or government agency.
- The email will have a persuasive message designed to entice the recipient to respond.
- The email will convey a sense of urgency.
- The email will have a reassurance of security.
- The email will have a link to a website, pop-up or web-based form.
- Clicking on the link will lead to a bogus website where the Phishers are waiting to steal your information. You may be prompted to provide private information such as login credentials and/or account information, PIN, credit card information, etc. If you share this information, you are now officially a victim.
Immediately delete all suspicious emails. Remember: No legitimate business or government agency will ever ask for personal information via email or phone unless you initiate the contact. If you receive such a request, DELETE THE EMAIL.
Never click on a link in an email! Instead, copy and paste the link in your web browser address bar.
Anatomy of a Phone Phishing Attack
- You receive a phone call from what sounds to be a legitimate organization, business or government agency.
- The caller will have a persuasive message designed to entice you to respond.
- The caller will convey a sense of urgency.
- The caller will have a reassurance of security and caring about your well-being.
- The caller will then either request personal information, ask for money or even direct you to a website where they are waiting to steal your information.
Do not share any personal information. Remember: No legitimate business or government agency will ever ask for personal information via email or phone unless you initiate the contact. If you receive such a request, HANG UP.
Phishing On The Rise At LMU
In Fall 2018, LMU has seen an increased number of fraudulent emails, or SPAM messages, designed to trick recipients into clicking links, opening attachments, or taking other actions. Specifically, we have seen a large number of Email Impersonation Scams targeting key individuals within the university. These attacks typically seem to come from personnel in positions of authority, and ask targets to perform money transfers, pay invoices, or send sensitive data. To learn more about how to recognize these phishing emails and protect yourself and our organization from getting hooked, read the following list of key phishing identifiers, or click here to see an example of a phishing email: Anatomy of a Phishing Email
1. Suspicious Email Addresses - If an email seems to be from a legitimate source by came from a nonofficial doman (i.e., @hotmail.com instead of @lmu.edu), it's probably fraudulent. Also check other recipients of the email - if it was sent to a lot of people, especially ones you don't know, you should be suspicious.
2. Generic Salutations - You should be suspicious of any email that isn't addressed directly to you. Watch out for salutations like "Dear Madam" or "Valued Customer".
3. Spelling Mistakes and Grammatical Errors- Everyone makes mistakes, but glaring and obvious errors such as "Loyola Mary Mount University" or a plethora of spelling mistakes and grammatical errors are reasons be wary.
4. Immediate Action Required- Phishing emails frequently have an alarmist tone, to try to rush recipients into taking action and making mistakes. Legitimate organizations rarely ask for immediate action or personal information.
5. Suspicious URLs - If you hover your cursor over a link, the destination will appear; phishing emails often use URL text in emails that seems legitimate, but directs to not-secure sites.
6. Attachments - As a general rule, don't open attachments you aren't expecting. If you get a strange attachment from someone you know, contact them before opening it.
7. Too Good To Be True - If something seems too good to be true, it probably is, especially if you receive offers from companies or services you've never used, or get prizes from a contest you never entered.
8. Weird Messages From Friends - Phishing emails may come from someone you know, if a friend's email has been hacked or if a hacker created a new email address using a friend's name to try to trick recipients. If you receive a suspicious email from a friend, call or text them about it before opening the message.