Catching a Phish
You might have noticed suspicious emails come through your Outlook Inbox over the holiday break. One said that your email account was over quota. Another said that we were upgrading our servers. One referenced owa.wm.edu in the subject line. All messages claimed they were from W&M IT. But no, these were not from us - they were part of a phishing attack.
Phishing emails are trying to do one thing - get your WMuserid and password. The attackers use the credentials to access your email account. Most often they use your account to send out spam under your name but they can also find personal information and compromise security.
The Attack
This particular barrage of phishing emails was carried-out by one attacker - or one group of attackers. The attack was purposely made over the winter holidays, as it was a time when they knew our defenses would be low. In total they sent about 15,000 emails, most of which never made it to an Inbox. There are several automatic blocks in our W&M Outlook email system that filter-out the majority of phishing emails. Despite having these blocks in place, some attackers are clever enough to find a way into our mail system. This particular attacker tried 15-20 different phish attempts. With each attempt they tweaked their methods to avoid detection, eventually passing by our defenses.
The Defense
"A lot of work goes into mitigating the damage from phishing and constant vigilance is needed to keep phishing at bay," says Pete Kellogg, IT's Director of Information Security and Project Management. In addition to creating the aforementioned blocks, IT engineers are continually analyzing account activity levels. Usually when an account is compromised there will be an immediate sharp spike in outbound messages (aka spam). If IT engineers see this suspicious behavior they will suspend the account until the user changes his/her password. Changing the password on the compromised account will close off the account to the attacker and bring the spam to a halt.
You can help as well. As soon as you see a phishing email send it to [[abuse]]. This will alert our team to the problem. IT engineers immediately begin investigating the source of the phish and then create a block to stop emails from that sender. They can also quarantine the emails that were already sent so that users cannot access them. However, if you forward your Outlook emails to another account (such as a Gmail account) the forwarded copy will not be quarantined.
The Aftermath
In total, 15 people supplied their W&M credentials during this phish attack. "Most people are really good at identifying malicious emails," says Matt Keel, IT's Security Engineer, "but occasionally someone will be tricked." There are clues to identify phishing emails. This includes misspellings in the message, an unfamiliar address in the "From" field, a link that has a suspicious address, and/or the fact that they are asking for your password. Remember - W&M IT will NEVER ask you to send us your password.
You can expect to receive a few legitimate email notifications from W&M IT. These notifications may link to a web page where you must enter your WMuserid and password to login. These notifications are for (but not limited to):
- Your yearly password reset
- The annual network authentication (usually in early August)
- Verification of phone locations
You can also access most of these services from the IT website. For example, you can reset your password by going to the IT Services page and choosing "Change Your Password" in the Accounts and Passwords section, instead of following the link in the notification email.
If you have any doubt of the legitimacy of a web page requesting your W&M credentials, contact our Technology Support Center at 757-221-4357 or [[support]].
While you're thinking about it, why not change your password right now...
