Campus Phishing Alert 4/1/2017

Many people received an e-mail this morning claiming to have been sent from the Sam Houston State University Technology Department concerning a login alert with a subject of “Alert!!!”. (See image below.)

Screenshot of campus phishing attempt.

The link included in the message appeared to have been a SHSU Online link, but was directed to a malicious site that requests your username and password. IT Security has contacted the appropriate parties in order for them to remove the malicious site.

If you still have an e-mail in your inbox, please delete the e-mail with no further action.

If you have already visited the site and entered your username and password, please change your password as soon as possible at https://samweb.shsu.edu, by clicking on the IT@Sam menu, then on Account Password Change.

Please contact the Service Desk at servicedesk@shsu.edu or (936) 294-1950 should you have any questions, concerns, or trouble resetting your password.

Unfortunately, this is not an April Fools joke.

Important Notice from IT Security

Many people received an e-mail earlier today claiming to be an important Blackboard message. The e-mail had a subject of “Important Message.” or “New Important Message.” and looked like the example below.
bb-emailThe link included in the message was directed to a malicious site that requests your username and password. IT Security has contacted the appropriate parties in order for them to remove the malicious site.

If you still have an e-mail in your inbox with the subject of “Important Message.” or “New Important Message.”, please delete the e-mail.

If you have already visited the site and entered your username and password, please change your password as soon as possible at https://samweb.shsu.edu, by clicking on the IT@Sam menu, then on Account Password Change.

Please contact the Service Desk at servicedesk@shsu.edu or (936) 294-1950 should you have any questions, concerns, or trouble resetting your password.

Stay Safe in a Dangerous Online World Part 2

Last month we talked about some ways that you can help mitigate the likelihood of getting a virus, downloading malware or falling prey to a phishing attempt. This month we will touch on a few ways you can protect yourself from a phishing attempt.

For a bit of background on “phishing,” see Wikipedia.

“Phishing is a way of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.”

E-mail and Phishing

E-mail is the main attack route for a phishing attempt, the goal of which is to steal your personal information. To help recognize a phishing attempt use these five guidelines.

  • A non-specific or generic greeting.Internet criminals don’t normally setup mailing lists with users names autoloaded in, so their email messages usually start with:
    • Dear Customer
    • Dear Account Holder
    • Dear PayPal user
  • Fake links. A link in an email can be made to say anything in the text. Place the mouse cursor over the link and Outlook will display the actual link destination. In my example I made a link that displays as the Home Depot website but in reality is a link to the SHSU Homepage.
  • Links to Non-secure login pages. All legitimate login pages will exist on a secure website. To see if the site you are on is secure look at the beginning of the address. Secure sites begin with “HTTPS:” not just “HTTP:”. The S at the end denotes that site as secure. If you are unsure about a page that claims to be secure you can click on the name of the company to the left of the URL address and see who has verified the website. For example SHSU’s SamWeb is located at HTTPS://SAMWEB.SHSU.EDU and we have been verified by GlobalSign as a secure site.
  • Asking for personal information. The entire point of the phishing attempt is get you to give up your personal information (Social Security Number, Credit Card Number, Bank Account, Residential Address, etc.) so that they can either steal your identity or sell your contact information to companies around the world. Every company that you do business with probably already has all of the information that they need from you. If you think it might be a legitimate request for information then look up that company’s contact information online (not from the e-mail they sent you) and call them to confirm.
  • Immediate Needs and Deadlines. Criminals don’t want to wait around for you to send them your vital information so they will put emergency notices and deadlines into their phishing attempts. They will frequently say that an account is going to expire within a few days if you don’t respond or that a service will be terminated and you will have to pay exorbinant reconnect fees. Don’t be fooled by this, take the time you need to verify that this is a real request before you give out any information, and whatever info you do give, do it over the phone and not via e-mail.