Sent via email on 7/2/17.
- Workday- You can tell that these are legitimate because the links in the body of the email are for domain myworkday.com/uw/. Also, when the UW login screen pops up, the address is idp.u.washington.edu. Note that there are known scams related to Workday, so make sure to hover your mouse over the links in any Workday emails you receive to make sure they go to our Workday site and not a fake site.
- UW Athletics- You can tell that these are legitimate because the links in the body of the email are for domain uwathletics.fan-one.com. Per the UW Athletics dept, they have a new ticketing system and are sending out new system activation instructions to everyone who has used their system in the past.
Fake Fake Fake:
- American Airlines order confirmation email saying that your credit card was charged. The intention is to alarm you and fool you into providing your credit card info on the malicious website. Similar scams involve Apple and Amazon order confirmations. If you receive an order confirmation email and don’t know if it’s legit or fake, I recommend that you log onto the vendor website via bookmark or Google search rather than clicking on the link contained in the email.
- The usual phishing emails targeting UW accts. The latest one is called Unusual Login Attempt and has a link to the malicious website http://universityofwashiington.weebly.com/. Note that the domain of this link is not a UW domain (it’s weebly.com), therefore it is malicious.
Tips for recipients:
*The key thing to watch out for is unsolicited email. Unsolicited means that you were not expecting it.
*It doesn’t matter if you recognize the sender or not- sender name and address are easily faked.
*If an unsolicited email contains a link or attachment, do not click link or open attachment unless you can verify that the sender sent you this exact email. It doesn’t matter that they have sent you emails in the past.
*Checking on unsolicited emails does take extra time. But it might save you from getting phished or having your computer infected with malware, both of which are time-consuming problems to fix.
Tips for senders:
*To the extent possible, don’t send emails with links or attachments. Instead reference where the link or document is on a shared resource. Example: “To log onto the UW Employee Self Service webpage, please use the link on the Clinical Lab Links webpage under the UW Resources header.”
*Never send unsolicited emails with links or attachments. Always let your recipient know ahead of time if you will be sending a link or attachment.
*Never send links to secure systems that require login. This trains recipients to click links in email and log in when prompted, which is a key component of phishing campaigns.
Let’s do everything we can to keep ourselves and our co-workers safe!
Fake– These are scams so do NOT click links and do NOT enter info into websites.
- Google Docs invite- This one looks very real because links actually go to Google. In this case, Google accounts were hacked and were hosting a phishing scam targeting Google accounts. Google has since shut this down.
- Xerox multifunction doc- This one includes “conf” or “order” in the title followed by a number. It is personalized with your name. It instructs you to open an attachment which was sent from a Xerox machine. The link looks like an attachment name, but actually goes to a malicious website.
- “You have a message from President Ana M”- Curious what the UW prez would like to tell you? Don’t be, because this one’s fake. It’s a scam to steal UW NetID credentials.
- “Update”- This one appears to be from a UW email address (faked). It targets your UW NetID acct, threatens to suspend your email if you don’t respond within 24 hrs, and contains a link to a malicious website.
- “NetID Update”- This one also appears to be from a UW address. It also targets UW NetID and threatens to terminate your acct if you do not respond. It has a link which appears to be to a UW website, but is actually a malicious website.
- “Employee Self Service” – This one is a real mishmash. It features obviously fake email addresses, references to Microsoft Outlook, a link to a malicious website, and oddly, a National Health Laboratory Service disclaimer.
- “Re-validate mailbox”- This is another generic sort of phishing email targeting Microsoft Outlook users. It asks you to verify acct in order to increase storage capacity.
- “Scanned_Invoice873.pdf -Dropbox”- This one invites you to go to a malicious website (supposedly Dropbox) and retrieve a mysterious PDF invoice.
Real– I have confirmed that the following are legit emails. You may safely click links in the email and enter your personal information on the websites.
- UW Transportation office reminder to renew UPASS and other commute products.
- UW Transportation office request to update vehicle registration.
- UW Office of Regional and Community Relations employee housing survey- links to Survey Monkey.
Can’t get enough of phishing examples? No problem!
The UW CISO (Office of the Chief Information Security Officer) has some great examples on their webpage.
They also have a great explanation of phishing vs. regular old spam emails.
There have been a lot of malicious emails lately, so I wanted to give you a quick update on what is real and what is fake.
1. Email from UW Office of Research titled “Your Action is Needed! Significant Financial Interest (SFI) Annual Update Required in 14 Days.” It sounds spammy but I have confirmed with the Office of Research that it is legit.
2. UW TAP survey- also confirmed real
Fake Fake Fake
1. “Email Account Closure” notice for Office365 users
2. “Urgent Review” with attached malware-infected PDF
3. “Update Required” phishing attempt to get tax info (says it’s from HR/Payroll)
4. “Beware of phishing emails” with details about supposed UW acct maint and threats to suspend acct
5. “UW Notification”- name-drops both UW and Office365, again threatening to suspend acct
6. Emails claiming you bought a shockingly expensive item- phishing scam targeting your credit card or bank info
7. FedEx delivery scam with attached malware-infected PDF
8. “Meeting notification” phishing scam targeting UW NetID
9. Our old favorite, USAA bank phishing scam
10. And the weirdest one I’ve seen yet- “Notice of Unsatisfied Photo Enforcement Ticket” supposedly from DMV, featuring such convoluted language as might appear in a real government notice.
I could go on and on, but you get the point- fake emails greatly outweigh legitimate ones. If something sounds fishy (or phishy), it’s because it is. Trust your judgment but ask if you’re unsure.
It’s been quiet since the USAA scam emails have died down, but don’t let your guard down yet! There’s a new phishing scam making its rounds.
Like a horoscope, this one is just vague enough to seem to apply to everyone. Note also the inclusion of “uw” in sender address and link- again, what we see is that “uw” is not in the right place in the address for it to be an actual UW domain website.
From: Justin Alexander [mailto:firstname.lastname@example.org]
Sent: Tuesday, December 20, 2016 12:06 PM
We have noticed some unusual login attempt to your account, Kindly update
your mailbox for your security purpose, please <http://web32uw.esy.es/>
Click Here to avoid cancellation.
Thank you for helping us protect you.
IT Helpdesk Support.
This USAA bank phishing scam email looks very official, doesn’t it? Only the link and the slight misspellings and grammatical errors give it away as a fake.
What scammers did with the link is quite clever. If you hover your mouse over the “Validate Your Account” link, you would see “usaa.com” in there twice. However, usaa.com is not in the right place. If you clicked the link, you would be taken to the web server shown below in red, not usaa.com. Tricky!
There were several variants of this email. Scammers often change sender address, web link, or even organization name in order to avoid detection by email filters.
Today’s phishing example shows off a new technique- threatening to withhold your email until you click link and provide acct information. Not only does it inspire panic, but also curiosity- aren’t you dying to know what those 2 emails are?! I am too, but not enough to get phished.
From: Bodnar, Brittanee Sue [mailto:email@example.com]
Sent: Thursday, September 01, 2016 7:03 AM
To: Bodnar, Brittanee Sue
Subject: Upgrade your account
Your Two incoming mails were placed on pending status due to a recent upgrade to our data, In order to receive the messages CLICK HERE to login and wait for response from Administrator, we apologize for any inconvenience and appreciate your understanding
The malicious email below came with a .doc (Word format) attachment. The attachment is most likely a vehicle for installing malware onto your system.
Remember to practice good attachment hygiene- never open attachments from people you don’t know or open attachments on emails you weren’t expecting. When in doubt, contact the sender to inquire about attachments before opening.
From: Ole Borgbjerg@s.uw.edu [mailto:Ole Borgbjerg@s.uw.edu]
Sent: Monday, August 29, 2016 11:18 PM
Subject: Re: PO #099282
Please find attached PO #099282 duly acknowledged for your attention.
Thanks & regards,
I’ve got Alanis Morissette’s song Ironic* stuck in my head today. And all because of this phishing email.
From: University of Washington [mailto:Boedkerc@duq.edu]
Sent: Tuesday, August 23, 2016 4:14 AM
Subject: Avoid Your Email Suspension
University of Washington
ATTENTION ATTENTION ATTENTION
Verify your University of Washington Email email account
to avoid email suspension
Copyright c 2013 University of Washington
Where does the irony come in, you ask? Because the only way you’d have your email account suspended is if you clicked that link and got phished by them!
*Despite its misrepresentation of the concept of irony, Ironic is a very catchy song. If you don’t know it, check it out- but NOT on your work computers please!!!