{"id":145,"date":"2020-10-27T09:56:52","date_gmt":"2020-10-27T16:56:52","guid":{"rendered":"http:\/\/blogs.pugetsound.edu\/infosec\/?p=145"},"modified":"2023-02-09T12:04:05","modified_gmt":"2023-02-09T20:04:05","slug":"simulated-phishing-breakdown-5","status":"publish","type":"post","link":"https:\/\/blogs.pugetsound.edu\/infosec\/simulated-phishing\/145","title":{"rendered":"NCSAM 2020: Simulated Phishing Breakdown #3 – Faculty\/Staff"},"content":{"rendered":"

If you were redirected here after entering your credentials, please read on to learn why the email you received was phishing. Don\u2019t worry!<\/strong> This was a simulated<\/strong> phishing attempt so your credentials are safe. However, if the situation were real, the information you entered would now be in the hands of a cybercriminal.<\/em><\/p><\/blockquote>\n

The email you received was sent by Technology Services to simulate a real phishing email as part of National Cyber Security Awareness Month. <\/em> Visit pugetsound.edu\/NCSAM2020<\/a> for more information. <\/em>The goal of simulated phishing is to provide an interactive way for campus members to learn how to quickly recognize and handle phishing emails.<\/em><\/p>\n

What was suspicious about this email?<\/h2>\n
    \n
  • Were you expecting it?<\/strong> If you were not expecting a shared document, use caution before clicking links or opening attachments.<\/li>\n
  • Did it seem overly vague? <\/strong>There is no name associated with who shared the document which should be suspicious. Something generic like “committeechair” or “departmentchair” are frequently used in phishing attacks. Further, the document title seems vague enough to seem relevant to anyone.<\/li>\n
  • Was the email address from Google? <\/strong>If you look closely at the sending email address, it was sent from the domain “gooogel.net” instead of “google.com.”<\/li>\n
  • Did you notice an odd character? <\/strong>In the first line of the message, the email address listed is “pugets\u00f8und.xyz”. Attackers frequently use homoglyphs (i.e. characters that appear almost identical or similar) to impersonate organizations. Look out for deliberately mispelled company names or homoglyphs in email addresses and URLs.<\/li>\n
  • Did the link go to Google Drive? <\/strong>If you hover over the link to open the document, you’ll notice that the link leads to pugetsound.xyz. That is neither the university’s website nor the website for Google Drive which should be a red flag.<\/li>\n
  • Did information seem mismatched? <\/strong>The email states there is a new document. However, the logo is for Google Sheets, not Google Docs. It also again lists Google Sheets above the mailing address.<\/li>\n<\/ul>\n

    Didn’t the link take me to Google?<\/h2>\n

    Nope! Just because a website has the logo of the company you are expecting does not<\/strong><\/em> mean it is legitimate. Be especially careful on sites where you enter your username and password. If you enter your username\/password on a website from a phishing email, your account and password are likely compromised. Always double check the URL. In this case, the URL was pugetsound.xyz whereas it should have been accounts.google.com.<\/p>\n

    Fake Google Login Page<\/h4>\n

    \"\"<\/p>\n

    Real Google Login Page<\/h4>\n

    \"\"<\/p>\n

    How do I spot other document sharing phishing messages?<\/h2>\n

    Know the deal real! <\/strong>For legitimate shared Google documents, expect the message to be sent with a display name like this: “Jane Logger (via Google Docs).” The sending email address should be: “drive-shares-noreply@google.com.”<\/p>\n

    If a linked document is password protected, think twice. <\/strong>Many phishing emails use legitimate cloud sharing services such as Google Drive or Microsoft OneDrive. Normally, a file is scanned for viruses before it is uploaded to a cloud service. However, if the file is password protected, the automatic malware scan cannot occur. If you receive a link to a cloud storage site and the email includes a password to unlock the file, use caution. You might be downloading malware onto your computer by clicking the link and unlocking the file.<\/p>\n

    Original Simulated Phishing Message<\/h2>\n

    \"\"<\/p>\n

    Text of Simulated Phishing Message<\/h2>\n

    committeechair @ pugets\u00f8und.xyz has invited you to edit<\/strong> the following document:<\/p>\n

    Revised Proposal<\/p>\n

    [First Name], please review this revised proposal at your earliest convenience.<\/p>\n

    Open in Docs<\/p>\n

    Google Sheets: Create and edit spreadsheets online.
    \nGoogle LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA<\/p>\n","protected":false},"excerpt":{"rendered":"

    If you were redirected here after entering your credentials, please read on to learn why the email you received was phishing. Don\u2019t worry! This was a simulated phishing attempt so your credentials are safe. However, if the situation were real, the information you entered would now be in the hands of a cybercriminal. The email […]<\/p>\n","protected":false},"author":521,"featured_media":141,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[3],"class_list":["post-145","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-simulated-phishing","tag-phishing"],"_links":{"self":[{"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/posts\/145","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/users\/521"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/comments?post=145"}],"version-history":[{"count":4,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/posts\/145\/revisions"}],"predecessor-version":[{"id":982,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/posts\/145\/revisions\/982"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/media\/141"}],"wp:attachment":[{"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/media?parent=145"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/categories?post=145"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/tags?post=145"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}