ITS has received reports of a new phishing scam that proceeds as follows:
Step 1: A phishing attack goes out from a compromised student’s email. One recent example (subject line: “Attention!!!”) is framed as a message about terminating the recipient’s Office 365 account. The message’s “CLICK HERE TO VERIFY” link takes the recipient to a Google document that asks for credentials and a phone number.
Step 2: If the recipient of the email clicks the link and provides log-in credentials, the bad actors use the phished credentials to log into the Office 365 account and generate a multi-factor authentication (MFA) request that will be seen by the victim.
Step 3: If the student uses text as their MFA method, the bad actors immediately attempt to trick the student into providing the MFA code they received by sending a text message that says in part, “We texted your phone … Kindly text back the code that was sent to your phone number to keep your Syracuse University Office 365 safe and secure.”
Step 4: If the student provides the code, the bad actors gain access to the account, create mailbox rules on the victim’s inbox, and expand the attack with new phishing emails. One phishing email with the subject line “Employment Opportunity for current Staff/Student” links to a Google document that asks for personally identifiable information such as name, phone number, address and more.
ITS PHISH BOWL
For more examples of phishing, please check out the ITS Phish Bowl—but only after hovering over the link to confirm where it will take you.
While this attack currently appears to be focusing on students, it could easily be used against faculty and staff.
These emails are malicious and should be discarded accordingly. Universities never ask for personal account information via email. In addition, ITS will never ask for your password via email. Any email communication or unsolicited web form asking for this type of information should be deleted.
Identifying Phishing Emails
To protect against phishing attacks, follow these guidelines the next time you receive a suspicious email:
- Be suspicious of unexpected emails sharing documents and links. If you are not sure, contact the sender (preferably via text message, phone or an alternative email address) and ask if they shared a document with you.
- Consider the message suspicious if you do not know the sender. Remember, phishers often use compromised accounts to send their messages. They also can forge the sending address. If you feel at all unsure, call the sender at a known number to confirm they sent the information.
- Do not open suspicious shared documents. Phishers often send vague messages stating a document has been shared with you. They rely on your curiosity to open the document.
- Beware of emails promising financial gain, quick fixes or easy solutions, as these are likely phishing attempts.
Getting Help
Students who need more information or assistance with verifying email messages can contact the ITS Service Center at 315.443.2677 or help@syr.edu. Faculty and staff can contact their local IT support team. To receive timely notification from ITS of current information security threats, follow ITS on Instagram.