CougTech

Spam / Phishing

Phishing FAQ


What is Phishing?

  • Phishing (pronounced like “fishing”) is when a hacker uses behavioral psychology or social engineering to lure or troll for desired information from an unsuspecting user.

Why do hackers Phish?

  • Hacker phish, because they are looking to harvest personal, usable or marketable information. This gathered information almost always is used for nefarious purposes against the unsuspecting account or other accounts, (which may or may not be connected or related to the original account).
  • The address book of the unsuspecting account is often a target for the hackers. By harvesting their contacts, they are able to allow their scheme to continue to grow in an exponential fashion (spreading to the contacts of the unsuspecting users contacts and so on.) This makes it very difficult to slow down their efforts, because it spreads so fast and is effective in getting their scheme out to a large number of accounts.

How can I spot a Phishing attempt?

  1. A classic phishing attempt is to pretend or fake that a message is coming from someone who has some kind of authority. This may even be someone you know or trust. (Your “Friend” who is the supposed sender could have just fallen victim themselves!) Take time to inspect the actual from address. Is it really coming from who they say they are? Often times you can hover your mouse pointer over the address and it will reveal another address, from what you are being lead to believe is the sender.
  2. Additionally they will try to create some sense of urgency to try and get you to respond to their message about something about to happen with your email, internet, bank account, etc. More often than not, there is also poor use of the English language in the message, with sentence structure and spelling commonly being abused.
  3. The final key in the classic phishing attempt is to have a “CLICK HERE” (or something similar) to help you remediate the problem. The majority of the time, the “Click Here” link…is actually a re-direct to some place half-way across the world.

What is the best thing to do, if I get a Phishing email?

  • Please-NEVER NEVER NEVER respond to any of these attempts in any way. Simply deleting the message is the best practice! Responding in any way would include-> clicking on the link or replying to the sender. The sender will never reply to your message.
  • If you have any question about the validity of the message, get a second opinion from a trusted source. That source could be a tech savvy friend or if none are available, contact CougTech@wsu.edu , if in doubt. If you still have additional questions, contact the WSU IT Security team at: abuse@wsu.edu

What do I do if I bit on the Phishing bait?

  • As with any compromise to your personal account or information in any setting, the very first thing to do is to change your password. In the WSU environment, this can be done by going to http://reset.wsu.edu In the case that you still have access to your accounts, you simply need to follow the path at the WSU reset site for changing a known password to a new password. There is an option at the WSU reset site, to follow a path if you have forgotten your password.
  • Stay alert for any abnormal behavior to your incoming or outgoing email. If you think you are missing email, no email is coming in at all, or are simply unable to login to your account, your mailbox may have been compromised by the phisher by placing settings in your account to hijack your mail.
  • If your mail is behaving abnormally, check for hijacked settings in your account. See the Q & A below on Account Damage Done by Phishing.

What are some specific examples of phishing attempts?

• On the WSU campus, email accounts are most often the target for most phishing attacks. • However, Telephone and Postal Services have also been mechanisms in the past for phishers and scammers to use to get their bogus message out. Though there is legislation against such activities, this does not prevent scams from occurring. • Below are some examples of email messages in particular, which have recently occurred on the WSU campus. Variations of these have been going on for years:



Upgrade

Network Auth

What kind of account damage is done by phishing?

  • When a user responds to a phishing email, most often a hijacking package is dropped into the users account. The package contains scripts that make edits made to the owners email settings. These setting changes could be one or all of the below:
    • Missing incoming mail-forward or delete rule that forwards or deletes all incoming mail
    • Selective messages get deleted. This is sometimes known as a “Blue Rule” and can be found in the user’s incoming rules.
    • Changes made to approved senders list. This impacts the users allowed senders list, by unknowingly allowing the phisher to be an approved sender
    • A compromised user’s account can be used as a relay for the phishing scheme, by using it to perpetuate the scam by sending the scam through the users email, and usually targeting people in the compromised accounts address book. This can obviously damage the reputation of the account holder
  • Important emails that have been hi-jacked must be considered stolen, and may be gone forever. If you are missing important mail, consider contacting potential senders and asking them to kindly resend the message(s). In some cases, you may be able to retrieve your mail, by looking at the sent items folder.
  • Unknown damages might be incurred from any harvested personal information. For example if this is bank information, your account balance could be adversely impacted.
  • The screen shots below, goes into detail on how to check the settings on the two most common email clients on the WSU campus. One is for Students, the other is for Faculty/Staff:


For Students

Login to your student email account at: http://office365.wsu.edu and click on the email icon.
Perform the 1, 2, 3 steps shown in the screen shot below to get into the forwarding menu. Follow the instructions outlined in the red box.
Also check Block or Allow and Inbox and sweep rules.
  • In the Block or Allow…look specifically in the Allow list…for a user that you do NOT recognize as someone you know. Most likely the hijacker may have placed their name in your allow list…so they can use your account to send mail.
  • In the Inbox and sweep rules…look for rules that you did not create. Some of these rules could be taking all of your mail, and placing them in the trash. Other rules could be selective in what they are grabbing and deleting them, or forwarding them to their private address, so they can scan your messages for personal, usable information.
Step1 Step2
Step3
Step4

For Faculty/Staff

At this point in time, the faculty/staff email accounts utilize a slightly different system and are not experiencing exactly the same issues with their accounts. Checking for damage is slightly quicker.
Login to your faculty/staff account with your WSU network credentials: http://connect.wsu.edu (Internet Explorer or Firefox work best for this step)Look for “Options” in the upper right hand corner, and click the “Create an Inbox Rule…” Staff
Review all of your rules. In some cases, by responding to a spammer's phishing attempt, a hijacking script may have placed a rule in your account that forwards all of your mail to a hijacker or, in some cases deletes the mail. In any case, carefully review your rules.

All Accounts-Students/Faculty/Staff

If you cannot send mail, your account may be locked or blacklisted by Microsoft or WSU because your account has been used as a relay for additional spamming type messages. You will need to change your password via http://reset.wsu.edu and send a message to cougtech@wsu.edu to begin the process of unblocking your email account.

What are some Additional Resources on this topic?

http://www.phishing.org/scams/prevent-phishing/
https://www.us-cert.gov/ncas/tips/ST04-014
https://www.google.com/safetycenter/everyone/cybercrime/identity-theft/
http://www.onguardonline.gov/
http://www.onguardonline.gov/articles/0376-hacked-email
Information Technology Services, PO Box 641222, Washington State University, Pullman WA 99164-1222, 509-335-4357, Contact Us