Like terrible slasher films on their 14th volume, the scammers have returned. You keep thinking, “They couldn’t possibly be coming out with another release of ‘Verify Your Identity,’ could they?” But sure enough, “Verify Your Identity 15 – This time, we really mean it!” comes out in the fall, and there is an email in your inbox promoting this box office bust. “If you don’t verify your identity in 24 hours, you’ll LOSE YOUR STUDENT LOANS FOREVER.”
Is anybody really scared by this call to action? Are people still moved by these flimsy appeals?
Well, yes. There is a vast market out there for scams of all kinds, and while the same plot keeps playing out, new audiences who have not seen “Verify Your Identity 1-14” may not know about the cheesy dialogue, the ham-fisted plots, and the awful acting. They may have never been caught up in a scam where they lost thousands of dollars, and valuable parts of their identity have not yet been compromised. That is why we keep writing about these scams because they keep happening and generating profit for an industry of deception and theft.
Identifying Phishing
As you may already be aware, the emails we are talking about are known as phishing – and they are one of the biggest problems on the internet today. Roughly 1% of all internet traffic worldwide is just phishing emails, about 3 billion sent per day (source).
Since “.edu” email accounts (like the one you have) are considered highly legitimate, they are big prizes in the cybercrime world. Additionally, universities have a predictable schedule for when new students, who may not yet be familiar with all the legitimate services hosted by a university, will arrive, and could be easily fooled into thinking that something is real when it is not, simply because they have never seen this movie before.
Identifying phishing is a vital first step in protecting yourself against the consequences of falling victim to them. There are six things you can do to help prevent yourself from getting caught in a phishing scam:
- Always check the sender – sometimes emails are “spoofed” or designed to look legitimate. Still, more often, the emails in question will come from illegitimate sources like .org accounts, .com accounts, or other stolen .edu accounts. A good rule to follow is if it comes from outside the TXST network, then be very cautious about interacting with it. If you suspect it to be phishing, forward the email as an attachment to abuse@txstate.edu or use your built-in reporting tools, the email client.
- Know who you are dealing with – even if an email comes from a legitimate TXST email account, it does not mean the sender is legitimately contacting you or their account has not been compromised. If you receive an email from another TXST user that you do not know and they are asking you to do something or trying to send documents you are not aware of or did not expect, be cautious and do not open unknown attachments.
- Look for apparent tells – every liar has a tell, and in the phishing world, they can be poor grammar, fake names, poor formatting, or invented offices and people. Use a critical eye to evaluate what is coming to your inbox and look for clues as to whether it is legitimate. Do not take poor grammar as a sure sign of fraud, though. Scammers are getting smarter and often use content from legitimate emails as part of their fraudulent ones.
- Check links by hovering – you can check the links in an email by hovering your mouse over them. If the link text and email text are mismatched, it is a good indicator that the link goes somewhere malicious. Do not click it! Forward the email as an attachment to abuse@txstate.edu for further analysis.
- Never give out personal information – if you receive an email asking you to submit your password for “verification” or an email saying that you need to log in to verify your account, especially if such an email is unsolicited. If you have not signed up for any new services, you can be reasonably sure that you are being socially engineered to be the victim of a scam. In other words, never respond to an email from a source you are not 100% sure about.
- Go straight to the source – if you are worried that an email might be legitimate but cannot tell, you can always go directly to the head by navigating to the website in question from a new browser window and logging in independent of any email links.
Can’t stop, won’t stop
The business model of phishing is fraud, and phishers always return. Phishing will not end any time soon because it is a multi-billion-dollar industry. Phishing is not some lone criminal in their parent’s basement eating Doritos and watching reruns of “Battlestar Galactica.” It is international, distributed across countries, and incredibly hard to stop. Therefore, we must be the ones who take it upon ourselves to watch for the tell-tale signs of scams and fraud, as well as to let people know how bad this can be and remind them of their best practices.
You can read about more best practices this November in the second part of this two-part series.
Joel Ausanka is an IT project manager in the Information Security Office.
