From guest blogger Mike Caudill.
More correctly stated, it is always the season to not be gullible. This time of year is a big deal for retailers and charities. For retailers, many of them will earn a significant portion of their yearly revenue in the months of November and December. For charities, donors may rush to get those last minute donations in to take advantage of tax deductions for the current tax year. In doing so, we are bombarded with messages on television, the radio, in print publications, and other means advertising shopping specials or sites to help those in need. While many if not most of those sites are indeed legitimate, there are certainly those that are not legitimate.
I wanted to share with you a personal story that happened just this past weekend. I had just come from the Christmas parade. People were taking pictures of all of the floats and of the parade participants. Not long after the parade ended I received a text message on my cell phone. The message stated, "Tina said forward this to you:" and was followed by a URL from bit.ly, a popular URL shortening service. While I did not recognize the number, it certainly was possible that it was from some acquaintance's cell phone. I also was not sure exactly who Tina was. I do know some folks named Tina, but the message seemed strange. Could it be that someone had sent me a picture from the parade? Were they sending me something else? Were they pointing me to a longer URL for some topic that I was interested in?
So, I checked it out. But I did so SAFELY. I did not go visit the URL directly from my cell phone or from my work laptop. On another machine where I have the tools installed to investigate URLs I typed in the URL manually and visited the website. "Tina" had wanted to point me at a site where I could get a FREE $1000 Target Gift Card. All I had to do was to enter a code into the box and click submit while a countdown timer counted down from five minutes. Anyone believe that any retailer is legitimately having someone named Tina send text messages to random cell phones and offer them $1000 gift cards?
When someone sends you a URL and you did not request them to do so, then be very careful about following them. If something does not seem right then stop and do not proceed any further. The example I gave is an example of a attack involving SMS messages to a mobile phone attempting to scam a user called SMISHing.
You may also have heard of the term phishing. Phishing occurs via email. While spam email is typically unsolicited and may advertise a product of some type, a phish is also unsolicited but may appear to be from a legitimate party and seeks to trick the recipient into a fraudulent transaction. That transaction often involves tricking the user into divulging personal information, authentication credentials, or credit card information. The FBI and others have been trying to get the word out on this class of attacks. They have published guidance available at the following URL:
I started this blog entry with the text "'Tis the season not to be gullible". The FBI guidance even warns "In advance of the holiday season...". However, phishing and smishing are not limited to just holidays and their celebrations. Those attacks take advantage of curiosity, current events, and emotional reactions and can occur any time of the year. They want to pull you into their trap. They may leverage current events like natural disasters, sports events, charitable causes or current news to convince you to follow their lead into a trap and they will take the steps necessary to make it believable.
Duke recently appeared in the press that we were implementing Office 365 for our institutional email service. Microsoft even issued a press release on it:
The result? We have seen a noticeable increase in phishing attempts. One recent example tried to convince the recipient that they were about to exceed their email storage quota and needed to upgrade their account by clicking a link. After their information had been verified their account would remain active. Another informed the user that the Duke University system and calendar services had been updated and they needed to visit the updated URL for information and instructions on how to access your email. These emails are well crafted and the sites that you are directed to are often made to look like a Duke site. They may have copied Duke logos and insignias, copied page headers or page styles, and utilized Duke colors or anything else that would make the illegitimate fake site appear to be legitimate and believable.
It is even possible that you could see more targeted attacks where the website domain name may appear to be a Duke site. Take for example a URL containing a domain name like www.du.ke, or www.duke.org, or www.duke.us? Do those belong to Duke University? The answer is no. While Duke University owns several domain names, you should familiarize yourself with the ones you use most often and pay close attention in the event that sites attempt to utilize domains that might be believable.
So what should you do? How can you protect both your private online accounts and your work accounts here at Duke? Follow the advice in the fbi.gov URL above. Do not click on links from unsolicited email. Hover your mouse pointer over the links in the email and compare the actual link with the text of the link contained in the email. If it does not point to a URL within Duke or the institution in question, then think twice before clicking it and before providing any information to the remote site. If in doubt, question the legitimacy of the email and contact the institution via other means to verify the validity of the mail.
Many scammers depend on an unsuspecting victim. The way to make yourself safer is think before you act so that you can make sure that you do not fall prey to them.