Go to the U of M home page

Monday, November 9, 2015

Advisory: Wire Transfer Scams

Most phishing appears to be aimed at stealing email credentials to use for spamming, but occasionally the phishers have a more sophisticated strategy, namely using a stolen account for malicious financial purposes.

Some phishers are looking to hijack accounts they can use to extract payments from University departments - using the account to send requests, sometimes quite insistent, to request fund transfers.

A typical scenario:
  • Victim receives a "shared google document" and "logs in", giving up their ID and password.
  • Phisher researches the victim's email account (by reading their email) to learn more.
  • Phisher notes the victim has a position likely to involve finances.
  • Phisher adds filters to hide messages in folders without landing in victim's inbox.
  • Once the phisher is ready, they use the account to send invoices or other messages to relevant contacts in the victim's mail, requesting money be directed to a bank account they control. Filters divert responses into a folder (or to another email account) so the victim does not see the exchange.
The good news is, we have yet to see this scenario succeed. So far in all cases reported, the requests have been resisted and no money has been reported lost.

Best practices:

  1. Be sure your department has established procedures for all financial transactions, and stick to them.
  2. Treat unusual, hurried and insistent requests with suspicion. "Is this the way Professor Smith normally acts?"
  3. Use other means of communication than email to confirm unusual requests. Make a phone call, or ask in a face-to-face conversation.

Friday, November 6, 2015

Phishing Example 116: Dropbox File

Received November 2015

  • Variation on "I've shared a document."
  • Attempts to steal email credentials.
  • The U does not use Dropbox - cloud storage is provided via UMN branded Google.

Subject: Dropbox File


This user used Dropbox to share a file with you!

View|Download files
- The Dropbox Team

Link takes you to a page that looks like this:

Filling out page tries to send you to (but fails) a document at Morgan Stanley:

Thursday, November 5, 2015

Advisory: Google Warnings on Suspect Email

GMail may flag phishing mail that is suspect - please pay attention!

Here's an example from a recent phish:

The "Learn more" link will take you to a helpful page full of information about dealing with phishing and spam:

Wednesday, November 4, 2015

Phishing Example 115: Update

Received November 2015

From: help@umn.edu <--NO, NOT REALLY
Date: Wed, Nov 4, 2015 at 5:24 AM
Subject: Update


Your MyUMN mail quota is almost full and needs to be updated to unlimited
storage system. To adjust/update, login to MyUMN with your Internet ID and
Password to automatically increase mail quota.


Web Team
HelpDesk: 865.974.9900 or http://help.umn.edu. 
           NOPE - That's the Helpline for a different school (UTK)
© 2014–2015 Regents of the University of Minnesota. All rights reserved.

Very good copy of UMN login page - hosted at "altervista.org??":

Filling in the page sends you TO the University: