Phishing

Key Actions 

Do not click a link if it looks 'funny' (i.e., domain does not match the sender or organization the email is referencing.)

Familiarize yourself with what Proofpoint links look like.

Duke will never ask you for your password in an email.

What is phishing and how to spot a potential phishing attack

Phishing attacks are attempts at social engineering recipient(s) into either installing malicious software meant to steal private data or their intent is to simply fool the individual into providing information in what appears to be a normal, secure means.  Such attacks can incorporate phone calls, 'spoofed' e-mails, and/or fraudulent websites all of which are designed to fool recipients into divulging personal data such as account usernames and passwords, Social Security numbers, credit card numbers, etc.

Spear phishing is targeted phishing, often aimed at executives and employees with access to confidential data. Be wary of any email which asks you to reply with account information or click on a link, especially if the message is written to sound urgent. Be suspicious of impersonation if you receive urgent requests for money from a colleague or friend, as well - confirm the legitimacy of such a request by a completely different communication method (if you receive an email requesting funds, call the supposed sender to verify).

Common things to consider in hopes to accurately identify a phish:

  • Spelling mistakes and/or poor grammar. Typically professional mass communications will have an editor review before distribution. Cybercriminals do not always take that into consideration. 
  • Threats or a sense of urgency. A common tactic is to threaten the recipient with account closure if they do not act with haste. The best course of action is to contact the purported sender by legitimate means to verify the claims of the email (i.e. if the message appears to be from your Bank, call their toll free support hotline to validate account issues OR call your Service Desk here at Duke)
  • Hyperlinks. It is common to see a link in an email message; however, before you click the URL, be sure you're aware of the actual destination. Mousing over the link will reveal the true destination. Another issue could be URL shorteners that help to consolidate long URLs into shorter, managable links. Online services such as GetLinkInfo.com will help you expand and preview such links before clicking through to untrusted domains.
  • Sender or Reply-to address(es). Look at the sender and reply-to information in the message headers. Be cognizant that these addresses can be spoofed and try to identify whether or not the address is actually from the supposed sending party. For example, we've seen phishing attacks that purport to be from the "Helpdesk" yet the address is not from help@oit.duke.edu. In fact some messages may not even attempt to appear to come from the Duke edu domain. If those addresses are in no way related to the institution that's supposedly sending the email, immediately question it's validity.
  • Spoofed logos. Cybercriminals know that if they include a logo or common graphic into the email that the recipient is more likely to trust the validity of the message. Be aware that images linked to the legitimate website/company can be spoofed and do not necessarily ensure communications originated from the purported sender. 
  • Attachments. It is not unusual to receive an attachment in an email. On the other hand, be wary of enticing file names or certain file types (i.e. .exe, .zip, .bat) especially when the sender is not trusted. Typically a malcious file has to be opened to install the malware. If you can safely save the file without opening, it is possible to upload the file to sites such as VirusTotal.com in an attempt to determine if the file is recognized by Anti-Virus vendors. Keep in mind that the file could contain malicious content not yet identified by any of the Anti-Virus vendors and this should not be the sole method for determining whether the file is "safe".
  • Email Headers. An email header is essentially the envelope of electronic mail. You can see the addresses used to route the message. Reviewing the full headers may help you identify whether or not the message legitimately came from the purported sender.

Duke’s Office of Information Technology (OIT) and the Duke IT Security Office (ITSO) have seen a tremendous up-tick in the number of email scams coming through campus email systems.  The ITSO offers the following reminders about handling suspicious messages:

  1. Remember that Duke will NEVER ask for your password or information about your account via email.
  2. Do NOT click any links in suspicious messages.  Links in messages such as these phishing attempts are used to coerce recipients into providing account credentials but there is also the possiblity that you will be redirected to a site used to install malware on your computer.
  3. If you get an email message that looks to be a scam, please forward the message as an attachment to security@duke.edu so that the message will contain full headers to assist our teams in taking appropriate action.*

* - This is typically done by forwarding the original message as an attachment; however, to be certain please see the OIT website regarding instructions for revealing full headers of most common email programs. Most notifications will be posted to the Duke ITSO Alerts page. If you've caught a phish, please review recent alerts to see if our office has been notified.

University email users should contact the OIT Service Desk for additional information or help at http://oit.duke.edu/help/.
Duke Health System email users should contact the DHTS Help Desk for additional information or help at http://helpdesk.dhts.duke.edu/.