![\"\"](\"https:\/\/blogs.pugetsound.edu\/infosec\/files\/2022\/07\/7-25-22-payroll-phish-1024x364.png\")
<\/figure>\n\n\n\nTips for Detection<\/p>\n\n\n\n
- Notice the maroon caution banner prepended to the message.<\/li>
- This message came from Artlon.Ruiz[@]sweetwaterschools[.]org. Legitimate messages about payroll will come from Human Resources with an @pugetsound.edu address.<\/li>
- Notice the various grammatical (e.g. “Employee’s”) and wording oddities (e.g. “follow on-screen directive .”). <\/li>
- The link goes to an online form. Never enter your password on online forms – many attackers utilize legitimate form building services such as Google Forms\/Microsoft Forms\/JotForm. Even though the site is legitimate, submitting information on these forms goes back to the creator of the form – in this case, cybercriminals. <\/li><\/ul>\n\n\n\n
Where Did the Link Lead?<\/p>\n\n\n\n
The link led to an online form asking for your account credentials.<\/p>\n\n\n\n
![\"\"](\"https:\/\/blogs.pugetsound.edu\/infosec\/files\/2022\/07\/7-25-22-payroll-phish-link-1024x631.png\")
<\/figure>\n\n\n\nText of Phishing Message<\/p>\n\n\n\n
From:<\/strong> Artlon.Ruiz[@]sweetwaterschools[.]org
Subject:<\/strong> Re: August Payroll-Verification !<\/p>\n\n\n\nAll Staff\/Employee’s<\/p>\n\n\n\n
The Finance and Accounts Unit wishes to advise that payroll will be early for the month of August.<\/p>\n\n\n\n
As such, the Finance and Accounts Unit (Payroll) is requesting that all staff \/Employee Verification should be done:
Visit: access-payroll [link removed<\/em>] and follow on-screen directive .<\/p>\n\n\n\nPayroll Account Department.
Copyright \u00a9 2022, All rights reserved<\/p>\n","protected":false},"excerpt":{"rendered":"Original Phishing Message NOTE: If you received this message, please delete it as it is NOT legitimate. If you clicked the link and entered any information, please contact the Service Desk as your password may be compromised. Tips for Detection Notice the maroon caution banner prepended to the message. This message came from Artlon.Ruiz[@]sweetwaterschools[.]org. Legitimate […]<\/p>\n","protected":false},"author":521,"featured_media":801,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[3],"class_list":["post-800","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-the-phish-tank","tag-phishing"],"_links":{"self":[{"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/posts\/800","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/users\/521"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/comments?post=800"}],"version-history":[{"count":3,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/posts\/800\/revisions"}],"predecessor-version":[{"id":806,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/posts\/800\/revisions\/806"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/media\/801"}],"wp:attachment":[{"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/media?parent=800"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/categories?post=800"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/tags?post=800"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}