{"id":492,"date":"2013-02-25T08:57:48","date_gmt":"2013-02-25T14:57:48","guid":{"rendered":"http:\/\/sites.augsburg.edu\/it\/?p=492"},"modified":"2025-08-11T09:19:27","modified_gmt":"2025-08-11T14:19:27","slug":"phishing-when-at-first-you-succeed-try-and-try-again","status":"publish","type":"post","link":"https:\/\/sites.augsburg.edu\/it\/2013\/02\/25\/phishing-when-at-first-you-succeed-try-and-try-again\/","title":{"rendered":"Phishing – when at first you succeed, try and try again"},"content":{"rendered":"

Let’s try again.<\/h2>\n

The phishing attack from about 2 weeks ago<\/a> is back and it brought friends.\u00a0 The email is nearly the same too.\u00a0 The last attack did trick some people so they might have thought they’d try it again.\u00a0 Here is the first email from today:<\/p>\n

\"Screen<\/a><\/p>\n

This time they fixed the typo.\u00a0 Did you catch it last time<\/a>?\u00a0 I’ll review the phishy aspects of this email.\u00a0 All of these are red flags that should make you suspicious.\u00a0 If you feel suspicious then it is likely a scam and you can delete it.\u00a0 Always feel free to ask us too.<\/p>\n

    \n
  1. You are being asked to login and update your email address.<\/li>\n
  2. The subject is pretty generic.<\/li>\n
  3. The From is miami.edu and not augsburg.edu.<\/li>\n
  4. The message is not TO: you, it is BC: (blind carbon copied) at you.<\/li>\n
  5. If you clicked on the link (which you should not!) it goes to\u00a0www.verderural.com.br which looks a bit odd.<\/li>\n<\/ol>\n

    Shortly after the above email another phishing email was sent that represents a more standard attack.<\/p>\n

    \"Screen<\/a><\/p>\n

    Let’s count the red flags.<\/p>\n

      \n
    1. The subject is pretty generic.<\/li>\n
    2. The From is info@security.com (not the IRS).<\/li>\n
    3. There is an urgency to the message and it involves taxes.\u00a0 Why would you need to visit a website about tax forms within 48 hours?<\/li>\n
    4. The web address actually goes to a totally different website (see below).<\/li>\n<\/ol>\n

      About the web address.<\/h2>\n

      Many email programs allow you to move your mouse over the link without<\/strong> clicking on it.\u00a0 That way you can see where the link will go before<\/strong> clicking on it.\u00a0 My GroupWise client shows the link at the bottom of the email window (shown below).\u00a0 In both cases the actual destination is not the same as what the link appears to be in the email (big red flag).<\/p>\n

      \"Screen<\/a><\/p>\n

      \"Screen<\/a><\/p>\n

      This time I took a picture of the first login page before we blocked it on campus.\u00a0 They made a copy of one of our web pages to try to fool you.<\/p>\n

      \"Screen<\/a><\/p>\n

      Even though the page doesn’t have any Augsburg logos it looks rather official.\u00a0 But again, if you did click on the link (which you should not do!<\/strong>) notice the web address in the browser address bar at the top.\u00a0 There is nothing there that looks familiar and the .br (Brazil!) should be a big red flag.<\/p>\n

      The second phishing email’s website is very very tricky. See below.<\/p>\n

      \"Capture2\"<\/a><\/p>\n

      Let’s see what red flags exist on this web page.<\/p>\n

        \n
      1. The address in the address bar is .br (Brazil).\u00a0 That should be a big red flag.<\/li>\n
      2. The web page is asking for your Social Security Number and birth date.\u00a0 Those should set off your alarms right away.\u00a0 Those two pieces of information are critical to your personal information security.\u00a0 You should never be entering those online in response to an email.\u00a0 Those two pieces of information are the keys that gain entry into your whole personal financial world — guard them like they are made of gold.<\/li>\n<\/ol>\n

        What should I do if I did enter my password?<\/h2>\n
          \n
        1. The first thing you should do is go change your password on Inside Augsburg<\/a>.<\/li>\n
        2. Don\u2019t worry if you can\u2019t login to change your password \u2014 try to use the \u201cForgot password\u201d link to reset it.<\/li>\n
        3. If you can\u2019t reset it just call the Tech Desk<\/a> or your LFC<\/a> to get your account unlocked.\u00a0 It is very likely<\/strong> that if you gave up your password that they are already sending spam and Augsburg IT will detect the 100s of emails being sent and will have changed your password to lock out the phishing attacker.<\/li>\n
        4. After you have changed your password be sure to update your phone and other mobile devices with the new password.<\/li>\n<\/ol>\n

          And to illustrate again, here is another student video this time from CalPoly Pomona.<\/p>\n