Businesses and organizations have long been targets of phishing attacks and even more so since the pandemic. But now hackers are turning more of their attention to students attending colleges and universities.
In October of last year, the cloud-based email security firm, Zix, uncovered a new scam when they noticed suspicious activity coming from legitimate university .EDU servers. In this new series of phishing expeditions, hackers impersonate a university’s IT department, instructing students to take some sort of action if they wanted to keep their Office 365 password the same before a deadline occurred.
Of course, there was no deadline because the entire email was a hoax. Once a student followed the recommended course of action to ensure the safety of their current password, they would be redirected to a domain requiring them to verify their identity by entering their Office 365 username and passwords. Thus, innocently and unknowingly handing over their credentials to the hacker.
What makes this particular scheme so disturbing? The fact that the perpetrators were able to bypass a number of sender verification checks. In short, the best course of action anyone can take to protect themselves against scams like this is to verify the authenticity of the sender. This can easily be accomplished in one of three ways:
- Truly, one of the most effective and easy ways is to simply hover over the “From” display name to see what email address pops up. You may find the message is actually coming from someone other than who is listed. To do some further searching, if the email is supposedly coming from someone you know, pull up an old email sent by that person and compare the two. Does the name display look the same for both? Is the email signature the same? Or, just grab the phone and call the person to verify!
- Double check the sender’s email address. Are any letters switched up? Is there an extra letter added anywhere or one left out? Is there a lower case where it should be upper or vice versa? This is almost like a scavenger hunt because these hackers have become so creative, and honestly good, at what they do.
- If the message came from a business or organization, open a new toolbar and go directly to that site to log into your account from there. Never log in from the link given in the message.
By spending some time to scrutinize the message and verify the sender, maybe we can make these scammers a bit less successful!