Examples of real Buffalo State phishing emails

Below are examples of real phishing emails received at Buffalo State

First it’s important to remember that phishing can happen via phone, surface mail, email, and in general conversation. Phishing is a con where someone is tricked into sharing personal information that is later used for identity theft or related scams.

Example 1: From the “ITS Help Desk”

Above is very popular type of phishing email. The email pretends that it’s from the campus support desk, and it’s telling the recipient that their account will be closed unless they click on a link. The link text says “Cancel Deactivation.” If the recipient clicks on that link, a few different things can happen. For instance, malware may be downloaded without the recipient’s knowledge. That malware may give the sender the ability to access the recipient’s files, credentials, networked folders, etc. In some cases, clicking on the link will take the recipient to a form asking the recipient to enter their Buffalo State username and password. Once the sender has the recipient’s username and password, the sender can log into any accounts to which the recipient has access.

A few additional notes about the above email:

  1. The sender says “Admin Support.” However, if you use O365, or if you hover over the sender name you will see that the sender is not from Buffalo State. The link reads, 170785@ leedstrinity.ac.uk  This sender is from England, (based on the .uk). Even if you don’t know country codes, you can see that this is not from a Buffalo State account. You should report it (phishreports@buffalostate.edu) and delete it immediately.
  2. The email is sent to “recipients.” This is a tip off. It’s not sending to specific Buffalo State employees or to a known buffalo state group.
  3. The first thing it says is “Sign in with your work or school account.”  This is not something the Buffalo State IT Help Desk would send to you. The IT Help Desk would ask you to use your Buffalo State credentials, or Buffalo State username and password.
  4. The Buffalo State IT Help Desk does not sign off on email with “IT Help Desk.” We are the IT Help Desk.

 

Example 2: Subpoena

Let’s review the above email. First, the subject is “subpoena” The email is designed to provoke instantaneous fear and urgency on the part of the recipient. It’s bad news that makes a busy person immediately click on the link to see what the subpoena refers to. This is the whole game, try to make the recipient click on the link without thinking.

  1. The email was sent from “accountant@ appachemail.com.” I know that because I use O365. If I don’t use O365, I can see where the email is coming from by hovering over the email sender name.
  2. The subject is Subpoena. “Subpoena” is a word that invokes fear in the minds of citizens. The sender hopes to capitalize on Mr. Jones being unnerved by the subject and clicking on the link.
  3. The language in the email is familiar. “WTF is this?” is generally only written to you by someone you know well, certainly not from a professional colleague. “WTF is this?” is also an inflammatory question designed to spark fear, discontent, and immediate reaction on the part of the recipient. The same is true with the statement “My lawyer will call you tomorrow.”
  4. Luckily, Mr. Jones is thoughtful. He looked at the email and stopped rather than react. He thought about it, realized it was false, and likely phish. He sent it to phishreports@buffalostate.edu

 

Example 3: Phishing via a fake LMS notification email

The above message is an example of an older email pretending to be from a Blackboard LMA (the precursor to Brightspace) administrator. 

  1. Hovering over the “From:” field shows that the email came from bmurph41@villanova.edu. Ask yourself, why would someone from Villanova email me about my Blackboard account? 
  2. The Recipient field shows that the message was sent to bmurph41@villanova.com.  This should make no sense to the reader. Why would someone at Villanova email himself and somehow copy me at Buffalo State? 
  3. The sender provides a link on which the recipient is told to click to check Blackboard messages. The link says: http (note, there is no “s” after the http, therefore the site linked is Not secure) ://stevepartners .com/wp-content/upgrade/blacB/Blackboard-Learn.htm  Ask yourself, “Would Buffalo State email me and tell me to check my Blackboard messages at “stevepartners?” Your answer, even if sleep deprived, should be a resounding “No!” Both because of the details noted above, but especially since this is no longer a system used by the school. Report messages like this to phishreports@buffalostate.edu and delete it immediately.
     

Example 4: Message Delivery Failure

The above example is a little trickier than the last few. It’s also specifically addressed to basinsjb, and uses her username in the body of the email. This is spear phishing, or targeting a specific person.

  1. The message is from “Delivery Failure” which, on its own might seem legitimate. However, when hovering over the sender name, we see the email address from the sender is  mailto:msg.sser@ms. officeonline.com
  2. The subject “Delivery Failure” seems legitimate.
  3. The enlarged, red text in the body says “Buffalostate Message Delivery.” That prompts some suspicion.
  4. There are two links, one link says “Move pending messages from server to Inbox,” the second link says “Review pending message with Buffalostate Cloud server.” If you hover over these links you will see that they go to: www.sewagetreatmentplantindia.in /asma.
  5. Report to phishreports@buffalostate.edu,  and delete it immediately.

 

Example 5: I’ve attached my resume

The above email pretends to be from a person who wants to apply for a job at Buffalo State.

  1. There is no subject line.
  2. The sender name says “JANICE HANNA.” However, hovering over the name shows an email address of “harry.rennings @t-online.de. This is, itself, suspicious.
  3. The “To” field shows that the intended recipient is miszczak@imp.jodz.pl . Who’s that? 
  4. The email starts out with “How’s your day.” This is a very familiar and casual way to start an email to someone from whom you are requesting a job.
  5. The email goes on to say that the sender visited our web site and wants me to go to a link on her Google drive to get a resume. If this person did go to our Jobs website, s/he would see that one must submit an application online.
  6. The sender wants the recipient to click on his/her Google drive and supplies a password to use to access the file. When hovering over the link to the Google drive there is some trickery, let’s look:

The link address is: https:// drive.google.com/uc?/export-download.UXH….) Yes, this link starts with https which is deceiving. https: is what we want to see to know that a web site is secure.  The next part “drive.google.com” also looks legitimate. What Follows does not. After “.com” we see “uc?/export-download” followed by a bunch of letters and symbols. That spells trouble.

 

Bottom line, if someone sends you something you’re not expecting, delete it. If it looks like it’s from a colleague, but still suspicious, call the colleague and ask before you click on the link. In this case, if the person really wants to apply for a job at Buffalo State, s/he must prove s/he can follow directions which are on the job application site.