Phishing Campaigns

• UW-Stout is a Microsoft 365 campus and most business is shared via OneDrive, Teams and SharePoint. If you receive a request to edit a document in a system you don't commonly use or you are not expecting it, be cautious. You can always reach out to the sender to find out if it is legitimate.
• The email address includes a misspelling and does not match the sender. (no.reply@alerttnow.com)
• "Conferance" is spelled incorrectly.
• The urgency in the message is a red flag.

• Note the spelling in "micrsoftalerts.com"
• Incorrect spelling, your vs. you're
• Sense of Urgency in large blue text
• Phishing links included in email

• This was an unexpected message granting access to things not requested.
• Email address is @swift-ness.com and NOT Adobe.
• Misspellings:
  • adminstrator
  • sing vs sign
  • recieve
  • your vs. you're
• "Get Started", was a link to a phishing URL.
• Included a statement at the bottom that could be considered a hint, "Please use caution when click on links in phishing messages"
• There was a made up address at the bottom

• Beware of suspicious subject lines that seem out of the ordinary
• Look at the sender and the email domain as one way to verify suspicious emails
• Links in emails can be dangerous. The link in this email was an example of link masking. Hackers use link masking to hide the actual URL of the link. Most browsers will display the true link by hovering the mouse pointer over it.

• Confirm any unexpected changes in process or requests through a secure line of communication before complying.
• Investigate the email address itself. In this case, the email address ends with donotrepliee.com
• Repurposed images and logos from actual companies are used to add a perception of legitimacy to phishing messages.
• One of the more common signs of a phishing email is misspelling. "Authentcator"
• QR codes are becoming increasingly popular, but that does not mean they are always safe. they are easy to use, making it easy for you to end up on a malicious website.

Tips for this Month

• One of the more common signs of a phishing email is bad spelling and incorrect use of grammar ( Games was spelled "Garnes"

• Investigate the email address itself. In this case, the email address ends with safemessaging.org

• In cases where you did not initiate the interaction to receive invitations, marketing materials, or newsletters, there is a higher probability that the email is suspect.

• This was sent out at the same time as many fantasy football leagues were kicking off.

• An indicator of a potentiality fraudulent email is when all links in a message lead to the same "phishing" URL or address: in this case safemessaging.org

Tips for this Month

Don’t trust an email just because it looks familiar. This month’s phish was a bit tricky as the UW -System institutions are big users of Teams and we often click things that seem familiar. It may seem unfair, but that is what the bad actors do. Bad actors often use Microsoft, Apple, Netflix, Amazon and other common brands and services to gain trust.

While the email looked pretty good, as they often do, both Teams and Microsoft was misspelled in the subject line. But please don’t count on misspellings. The bad guys often have copy editors these days.

This message also adds a sense of urgency as it was sent just after the close of FY22 and it notes delinquencies.

The reply to address was no-reply@network-support.us. This is clearly not a Stout or UW system address. A good indicator of a phish.

Tips for this Month

Be wary of any email demanding action. They are quite often fraudulent. Covid has been a focus of fraudsters for the past two years. Wisconsin residents have reported over 9,000 complaints of fraud related to the Covid pandemic to the Federal Trade Commission. Nearly half of the reported fraud resulted in financial loss. This amounted to $8.22 million dollars in losses reported by Wisconsin residents alone!

1. The sender's email address had a spelling error in the domain. @micrsoftalerts.com

2. Tip: If you did not attach a service to your account or make a purchase through a service, you can safely assume it is a phish or scam. Even if it is a service you do use.

1. The April campaign was aligned with current events. They will use current events to make the emails appear relevant. 

2. April’s phish included an additional step where users could have entered their twitter credentials.

Note: Technical issues prevented over 2/3 of the phishing email from being delivered. Approximately 700 emails went through. However, if you extrapolate based on the numbers, we would still be under 1% if all email had gotten through.

March 2022 Phishing Email Example

1. The March campaign was aligned with the tax season which is what many phishing experts will do. They will use current events to make the emails appear relevant.

2. The display email used was from an unfamiliar email account and not associated with a UW email address or with your personal tax company.

3. There was a "Call to Action" message. "Your ability to e-file will be disabled" statement demanded your response.