This Was a Phish

Email messages often contain links, whether it's from trusted family, your bank, or other people or companies. While links themselves are not a bad thing, you should always be suspicious of them. Below are some examples of unwanted results that can occur from clicking a bad link in an email:

• Some websites can install malicious software on your computer just by visiting them.
• Malicious websites can be made to look exactly like a legitimate login screen for any service you use (like your bank or even Ohio State's login page). These malicious login pages will then steal your username and password if you provide them.
• Other malicious websites will prompt you to install an application or download a file.

You should always be suspicious of links in email messages, even if you know the sender. Before you click, you should verify that you recognize the linked URL.

Cybercriminals often include links in their emails that will take you to a fake site that resembles a real one. Once you are at their site, they will attempt to steal your login credentials or infect your computer with malware.

To find out where a link is really taking you, hover over the link with your mouse pointer without clicking. The actual URL will appear above the text that is displayed in the email message itself.

Some common signs the URL links to a malicious site are:

1. The URL is only an IP address (like 140.254.112.130).
2. The URL does not match what is shown in the email content. For example, the email is from your bank, but the URL is not your bank’s website.
3. The URL is very long or confusing, but does contain a familiar term. For example, yourbank.site1230541356.com.

Any of these warning signs could mean that the email is a phishing attack.

Knowing how to see where a link is going to take you can help you identify phishing emails before you fall victim to them. 

Phishing emails often contain links to malicious sites that are designed to infect your computer with malware or collect login credentials from you.

Knowing how to correctly identify where a URL will take you is the most important step you can take to avoid falling victim to a phishing attack.

URLs have five main parts to them:

1. Protocol (usually, http or https, but there are others)
2. Subdomain
3. Domain
4. Extension (can also be .org, .net, or others)
5. Directory

There can be other subdirectories or filenames after the directory (5) as well.

You should pay close attention to URLs in email messages to make sure that the domain (3) is correct. The domain will always be directly followed by the extension (4). Just because the site you are expecting is listed somewhere in the URL does not mean you are visiting the correct page!

"91% of targeted attacks involve spear-phishing emails, reinforcing the belief that spear phishing is a primary means by which [advanced and persistent threat] attackers infiltrate target networks." - TrendLabs APT Research Team

Spear-phishing is a method of targeting one person directly with a phishing email that is designed for that person specifically.

Spear-phishers use email to achieve the following goals:

• Deliver a malicious file attachment that can infect your computer with malware.
• Entice you to click on links that will take you to malicious websites that will infect your computer with malware just by visiting it.
• Trick you into giving up your login credentials by either asking for them in the email directly, or by having you click on a link to a fake login page.
• Get you to perform some action (like sending a PO or paying money) that you normally would not do. This often done by impersonating or spoofing a supervisor’s name or email address to make the message appear valid or important.

Spear-phishing often targets people outside of IT and management, so even if your role is not in one of those two areas you can still be targeted.

One of the most common reasons for sending a phishing email is to deliver malware as an email attachment. Spear-phishers also use attachments to gain access to critical machines by installing keyloggers to steal your credentials or "trojan horses" to access your network.

Identifying a malicious attachment can be hard, even for the experts. However, there are a few warning signs that you can look for to determine if an attachment is not legitimate:

1. The attachment is out of context. For example, you receive an attachment that called “Payroll updates”, but you work in the purchasing department.
2. You were not expecting an attachment at all.
3. The file type is out of place, or you need to install software to open the file. For example, you are asked in the email to review an attached document, however the document ends in .exe instead of .docx. When you attempt to open the attachment, your computer asks you to install the software which is malware.

Some phishing emails will have attachments that have a file extension which has been changed. Sometimes the malicious attachment is in a .zip file that you must decompress first. 

It is very important that you pay close attention whenever you receive an email with a file attachment.

When you report a phishing or suspicious email, you are helping the university community as a whole. Reporting a phish/suspicious provides the following benefits:

• The email security team can verify if the email is legitimate or a phishing attack.
• If the email is determined to be malicious, the security team can prevent the same message from being delivered to other users.
• Malicious web sites can be taken down or blocked.

A fast reaction to a phishing attack helps keep everyone safe. It’s better to report a legitimate email than to not report a malicious one. Be safe, not sorry!

Phishing emails are fairly common and are used for a number of different purposes.

1. As a consumer, cybercriminals target your financial accounts- both banks and credit cards.
2. As a computer user, they want to gain access to your computer or network for a number of nefarious purposes, including sending out more phishing emails.
3. As a university employee, they target things like intellectual property or research data, network resources, and financial details or payments.

Some phishing emails will attempt to trick you into handing over sensitive data, like your username and password, by either directly asking for those details in a reply or by sending you to a fake login form on a malicious website. When you provide your login details to the fake site, your username and password are captured by the cybercriminals and then used to access your account and any resources your account has access to. They may also use your account to send out more phishing emails as well.

Phishers target all users at Ohio State, from those in leadership positions to entry-level employees and even students. No matter your role here, you will receive a phishing email at some point.

Not all unwanted emails are phishing. Sometimes the messages are just junk email, called spam.

Spam messages are unsolicited emails that try to sell a product or service, while phishing messages are malicious emails designed to trick large groups of people into sharing information or allowing malicious code to run on their computers.

Even though a message may appear to be just spam at first, many times they include an “unsubscribe” link in them. These unsubscribe links can direct you to a malicious site that will try to have you login to their fake page to steal your credentials. They may also use the fake unsubscribe page as a way to verify your email address is active and then send you a more targeted spear-phish.

The safest way to unsubscribe from any legitimate email messages is to type the URL for the site or service directly into the browser and use the tools there to unsubscribe.

Digital Security and Trust has resources available to help you protect university data.  University employees can access Cybersecurity for You to learn about how to be more secure in their personal and professional digital lives.