There's always someone trying to steal people's passwords...
...and sadly, there are always people who allow them to do it.
A recent phishing email. The URL doesn't link to mail.york.ac.uk - your best bet is to mark it as spam. |
These messages may warn you that your account needs to be validated, alert you to withheld emails, offer you an upgrade, or give you access to a shared Google doc. They include a link, which might appear to be a genuine University URL, and if you click on it you'll be asked enter your username and password.
These emails are always a scam - their sole aim is to steal your password.
Lots of people already know that, and lots more are suspicious enough to check with us before they respond. But each time one of these phishing emails is targeted at University email accounts, we see people hand over their username and password, which means that we have to disable their account as soon as we become aware that it's been compromised.
Our phishing advice poster: click to view full size |
- If possible, we block access from the campus network to malicious websites - but this doesn't help if people are at home or elsewhere when they click on the link.
- We include information about spotting and dealing with email scams on our website, in our user guide, and in flyers handed out at Freshers' Fair and Staff Induction events.
- We post advice on our Twitter and Facebook feeds
- When there's a phishing attack underway, we send warnings to departments for circulation to staff and students
- We've produced a poster that departments can display on their noticeboards
Find out more about spotting phishing attacks and other email scams at:
I still can't believe that anyone would fall for an email that says "Management has mandate you to validate your account". But then, I am still waiting for a very kind Nigerian prince to share half his fortune with me after I helped him transfer it to Switzerland so his wicked stepfather can't steal it from him.
ReplyDeleteBut if English isn't your first language, it can be harder to spot those nuances of odd phrasing and grammar. That might be one reason why people think they're genuine.
ReplyDeleteHave you looked at any correlations between the accounts you've locked and users age range / nationality/language (even if it's just a punt from their directory photos / surname / departmental profile, and are staff or students falling for the emails more?
ReplyDeleteThe emails use bad English deliberately. They are trying to catch the most gullible, and making the English perfect will give them too many false positives to cope with.
ReplyDeleteOne solution might be to make Google's two-step verification mandatory for UofY accounts. But that might make IT more unpopular than the spammers!
How about running a campaign on Managed PCs for a while which shows example of what the spammers email looks like when users start up their PCs and log in?
ReplyDeleteCould you make it a mandatory yearly test like the online fire safety training? I'm not a particular fan of having to complete these types of tests (or being nagged to remind me to complete them) but it does make them hard to ignore.
ReplyDeleteI think that's a great idea, Paul.
ReplyDeleteMcAfee have a quiz which gets you to spot the phishing emails and the genuine ones: https://phishingquiz.mcafee.com/
ReplyDeleteI'm clearly too suspicious, as I marked two genuine ones as phishing...