Account/Password Phishing information

Account/Password Phishing information

Please note: You may have been redirected to this page to keep you safe if you are on-campus and clicked on a known phishing link in a scam email.

NEW! - Bloomsburg University users now have access to Phishing Training.

What is a phishing message?

 

  • Phishing, as typically performed within a university setting, is when malicious outside scammers send emails that attempt to acquire account passwords by pretending to be a campus IT administrator or campus VIP to lure unsuspecting Faculty, Staff, and Students into giving the information. The emails direct Faculty, Staff, and Students to reply to an email with their password or click a link that opens an external website form asking for their password in order for the scammers to collect usernames and passwords which they can use to send spam to the Internet while authenticated as the user account from which they collected the password from in a successful phishing attempt.
  • The messages can even appear to be from a bloomu.edu email address since From addresses can be spoofed or simulated. The one clear similarity is that they request that your information goes to a host outside of bloomu.edu either through the use of a Reply-To address (the address that replies are directed to, which are different than the From address when a Reply-To header is set) or an off-campus web server that collects the information. Keep in mind, while most phished passwords are only used to access your email account, the scammer actually has access to all university systems which you have access to and they can view or delete any files or information which you have access to. The spammer typically deletes the contents of your mailbox periodically while spamming, to make sure the mailbox doesn't go over quota which would stop the ability to send out more spam.
  • The most typical phishing message sent to BU accounts are asking BU Faculty, Staff, or Students to confirm their email accounts by supplying their username and password and claim the email account will be terminated due to being inactive or over-quota and if you don't send the password within a short time period, your account will be terminated. DON'T FALL FOR IT! Look at the examples at the bottom of this page.
  • When trying to determine if the email is authentic or not, remember one very important detail: Bloomsburg University will never send you email requesting you to provide or confirm your username, password, or any other personally identifying information.
  • Things to look for to verify if the email is a phishing email:
    • Spelling errors and bad grammar
    • Odd formatting (e.g., incorrect use of capital letters, punctuation, spacing, or line returns)
    • No real person's name included either in the greeting or the signature
    • A return or reply-to email address that is spoofed. You can view "full headers" to see what is listed as the actual return address or check the TO header as soon as you click reply.
    • If a password is being requested, you know the email is not legitimate. We will never request your password. Look at what else is being requested as well (e.g., requesting your country, territory, or webmail URL should also throw up flags that it's not us requesting the information)
    • No mention of a phone number to call or person to contact
    • Deleting an account due to lack of response: we would never follow that kind of practice for current employees or enrolled students
    • Includes a hyperlink that has an odd looking URL (for instance with a foreign country as the domain, or trying to match a legitimate web address but spelled differently, or the fact that external-inbound email message URLs that are not in the bloomu.edu domain will be rewritten by our email perimeter URL rewrite service) - If you feel the need to click a link, you can pay extra attention to the URL in the address bar. It is much safer to not click it and ask IT support if a message is legitimate instead.
  • But beware - some phishing messages actually include valid From addresses such as helpdesk@bloomu.edu or administrator@huskies.bloomu.edu that are spoofed or simulated, include the words "Bloomsburg University", include Bloomsburg University's actual street address and phone number, have correct spelling and grammar, and list an actual persons name (typically it's a name of someone that does not work for the university) in the body of the email to make it seem more legitimate. They can even steal a BU logo and put it on the web form. As phishing campaigns have gotten better over the years, we've started to routinely see scammers copy our entire webmail logon page so it is extremely important to Pay careful attention to the web page address in the address bar of your browser before ever typing in your password.
  • The reason education of phishing is so important is because when a BU account is compromised and sends spam to the Internet, it can cause problems for all Bloomsburg University Faculty, Staff, and Students. As our mail server sends authenticated spam, our servers start showing up on spam lists and many mail servers on the internet blacklist our mail servers so the rest of the non-compromised email accounts can no longer get their Internet email delivered to its destination successfully and it is outside of our control other than re-securing compromised accounts and trying to convince each and every Internet server out there that we've cleaned up the situation and won't be spamming them anymore.

 

If you've received a phishing message...

  • Do not reply to it.
  • Do not click the URL.
  • Do not ever provide your password.
  • You can forward the message as an attachment to postmaster@bloomu.edu so we can take action to help ensure other BU Faculty, Staff, and Students that received the same message do not get their account compromised. This can include blocking outgoing emails to the reply-to address, blocking scam web page forms from our campus network, or when possible removing the message from all mailboxes.

If you've fallen for a phishing scam...

  • First and foremost, change your password so the scammer no longer has access to your account.
  • Expect angry replies and Non-Delivery Messages for a few days if your account was used to spam Internet email addresses. Some compromised accounts have sent out spam to tens of thousands of email addresses in a relatively short time period before the account has been re-secured.
  • Understand that often the spammers will configure mailbox rules to move or delete incoming and/or outgoing email. They also may delete your signature so it does not show up on their outgoing spam, or set the signature to a spam message itself to make it easier to send their spam messages out. If any messages are removed from your mailbox, these can be restored through the “Recover Deleted Items” option.
  • Finally, report the incident to postmaster@bloomu.edu so we are aware the account is no longer compromised. When we discover a compromised account, usually the first thing we do is change the password to something else so the spammer can no longer use it. However, this also locks you out of the account as well, so to prevent that, please notify us you have control of your account once again.

How do I know what's phishing and what's legitimate?

  • Phishing messages typically have a Reply-To address or web link to a host outside bloomu.edu, include an unfamiliar or blank TO address, include general statements like "Dear email account owner" or "EDU webmail user", threaten lost service if you don't act, often have poor spelling and grammar, include a sense of urgency by giving quick deadlines like 24 hours or 2 days, and request userids and passwords through email.
  • Legitimate messages from the Bloomsburg University Office of Technology will NEVER ask you for your password. They typically just give updated information about technology and your user account. We may tell you to go to a website where you should enter your username and password to authenticate and access a university resource, but it's not simply a form where we are collecting the information to mark your account as active to keep an account around or give you more quota. Faculty/Staff get to keep their account while they are still employed and all active students get to keep their email account on Office 365 - without EVER having to supply a password in response to an email from us. We may ask you to click a link to log in to a new technology system, such as the MyHusky system, but pay close attention to the web address that the link goes to by looking at the address shown in the status bar while you mouse-over the link and check the address in the address bar of the browser if you click the link. You will always notice URL links to websites which make you log in with your Bloomsburg University account in legitimate messages are always in the bloomu.edu domain. You can easily check this by looking just to the left of the first slash (/) after http:// or https://. This is where the domain in the URL is located. For instance, legitimate bloomu.edu URLs are http://www.bloomu.edu/technology/ and http://www.bloomu.edu/myhusky/logon and https://reset.bloomu.edu/. Be sure not to be tricked by URLs that do include the phrase bloomu.edu, but not at the domain level of the URL. For instance, http://www.bloomu.edu.9.cn/ and http://account.bloomu.edu1.com are NOT bloomu.edu URLs. Also be sure you aren't getting tricked into going to a different website than the link text specifies. For instance, the following link actually goes to example.com, even though the link text looks like a bloomu site: http://www.bloomu.edu/.

How will I know if I've fallen for a phishing scam?

  • Please study this common scenario because any step along the way can help you realize you've fallen for a phishing scam and that you need to change your password immediately. If you receive an email message from an unexpected sender regarding something you never heard of and when you do what they ask you to, you don't get to the thing you never heard of and instead just get a blank page, you were probably just phished!
    • Double Check the identity of the sender! - Incoming phishing scam messages typically come from a compromised account where someone else just fell for a phishing scam. In the case of that account being on an external system, the FROM address will clearly state the compromised account's display name and email address, which you will see is not a bloomu.edu address. In the case of a local bloomu compromised account, check who the sender is. If the message says it's from IT or a VIP, if it was legitimate the message would not be coming from a student account or a faculty/staff member in an unrelated department, and it also would not have a link to an external domain.
    • Learn how to identify the domain in a URL or web page address! - You can check the domain of a URL by looking just to the left of the first slash (/) after http:// or https://. For instance, legitimate bloomu.edu URLs are http://www.bloomu.edu/technology/ and http://www.bloomu.edu/myhusky/logon and https://reset.bloomu.edu/. Be sure not to be tricked by URLs that do include the phrase bloomu.edu, but not at the domain location in the URL. For instance, http://www.bloomu.edu.9.cn/ and http://account.bloomu.edu1.com are NOT bloomu.edu URLs. Also be sure you aren't getting tricked into going to a different website than the link text specifies. For instance, the following link actually goes to example.com, even though the link text looks like a bloomu site: http://www.bloomu.edu/. In other words, always check the URL by mousing over a link or by checking in the address bar after clicking a link, rather than checking the text of the link displayed in the email message or on the web page.
    • Double check the link URL / web browser address bar to see what domain the page resides in! - Many email clients will let you see where a link goes to by mousing over the link. Always do this before clicking a link so you know where it goes. In the case of external-inbound email messages, our email perimeter rewrites each non-bloomu link URL to go through a urldefense.proofpoint.com domain. This service will prevent users from going to known scam websites. So if you see that domain, you can know it's not a site on the bloomu.edu domain. If the message is unexpected or suspicious and you see the URL was rewritten, you should assume the email message is malicious and proceed with extra caution, only clicking the link once you confirm with the familiar sender or with IT that the message is legitimate. Keep in mind if an internal account was compromised and sent a scam message, the URL would not be rewritten, so you still have to check the domain name the URL is pointing at. If you still decide to click the link, always double check the web browser address bar prior to entering credentials or other data you want to protect. Remember, our page themes and content can be stolen and placed on a scam website, so only enter credentials when you know it's a bloomu.edu website.
    • When you see an unexpected result, take action! - If you do submit credentials on a phishing form, when you get a blank page or the phishing form continually says your known-good credentials are invalid, and you never get to the page that was promised to you, please realize you just fell for a phishing scam and change your password immediately!

To learn more about phishing in general...

  • Please take a look at the phishing type examples and examples of actual phishing emails that have been sent to Bloomsburg University faculty, staff, and students in the next few sections of this page.
  • Be aware that email phishing campaigns are also used to pull off more serious criminal acts such as stealing credentials for bank or credit card websites, bank account numbers or credit card numbers themselves, or stealing identity through identity theft.
  • View the brief phishing training video that Bloomsburg University has licensed from KnowBe4, a security awareness company.
  • Take a look at the Phishing wikipedia page.
  • Hone your skills for recognizing phishing emails by taking the SonicWALL Phishing IQ Test.

Phishing Type #1 - They want you to reply with your password in an email

In the following example, there is a reply-to address set which will send replies to an address outside bloomu.edu where they are collecting passwords. It is difficult to know that a reply-to header is set at a glance because to see it you have to open the full headers to the message or if you click reply, notice the email address on the TO line to see where replies are directed to due to the Reply-To address. Click email to enlarge.

Phishing Type #2 - They want you to click on a link and enter your password on an external web form

In the following two examples, there is a link to a web page outside bloomu.edu where they want you to enter your password. You will always notice URL links in these type of messages are not in the bloomu.edu domain. You can easily see this by checking just to the left of the first slash (/) after http://. This is where the domain in the URL is located. Be sure not to be tricked by URLs that do include bloomu.edu, but not at the domain level. For instance, http://www.bloomu.edu.9.cn/ and http://account.bloomu.edu1.com/ are not bloomu.edu URLs. Click emails to enlarge.


Here are examples of an off-campus web forms set up to collect passwords through a link in a phishing message. Pay special attention to the third one which copied our faculty/staff email login page, but notice in the address bar that it is being hosted on a website in Australia. Always check the web page address before entering your BU username and password on any web page. You can click individual forms to enlarge.

Examples of actual phishing messages sent to Bloomsburg University users

The following emails are a small sample of phishing emails that were actually sent to Bloomsburg University Faculty, Staff, and Students. You can click individual emails to enlarge.