On Tuesday 24 October, IT Security sent a number of staff a simulated phishing email claiming HR shared a file with you. The Subject was ‘Holiday Entitlement Changes’ available through SharePoint, and contained a link to a Word document called Holiday Entitlement Changes. If you tried to open that document you were asked for your username and password.
Those people who entered a username and password were taken to a page reassuring them this was a benign phishing simulation by IT Security. No passwords were collected or stored!
Why we did this
Our aim is not to penalise, embarrass or make anyone feel bad if they “fell for the scam”. No-one will be “named and shamed”. We think of this as being like an unannounced fire drill to make people more aware of the most common way that criminals steal passwords.
Criminals usually have more experience in conning honest people, than honest people have in protecting themselves. We want to help you to protect yourself (and the University) better by raising awareness of how easy it is to be lured into giving away your personal details by malicious emails that appear genuine.
The suspicious email.
This is a screenshot of that email, with some of the tell-tale signs that it was phishing, underlined in red.
This email is suspicious because:
- if the University was genuinely communicating a change to us, we would expect a conventional email with the details. Sometimes there may be a link to a web page, rather than by a link to a shared file.
- It claimed to be from our HR, yet there was a yellow Caution label saying it was from outside the organization.
- It asks for a username and password. Any email which links to a place where you are asked to give your username and password should be treated with caution.
You should ask yourself the following:
- was I expecting this email?
- is the Sender known to me?
- and was I expecting them to send/share this file?
Who is it really from?
- does the sending address match the alleged Sender?
- in this case, the Sender’s email domain address is @birmingham-sharepoint.live not @bham.ac.uk or no-reply@sharepointonline.com for emails from SharePoint.
Where does the link take you?
You can reveal the full address:
- on a computer, by hovering the mouse pointer over the link (without clicking on it!)
- on a phone/tablet by a long press holding down on the link.
Microsoft uses various websites and it is sometimes difficult to tell if the link takes you to a genuine Microsoft website or not.
In this example, the Open button links to birmingham-sharepoint.live which is not a genuine Microsoft SharePoint site. At the University, SharePoint has an address that starts https://bham.my-sharepoint.com.
Fraudsters are very devious in using addresses which look similar to genuine ones. This page, from CalTech, shows you how to read URLs (web addresses) correctly to help you to avoid some of the dirty tricks used https://www.imss.caltech.edu/services/security/recommendations/how-to-read-urls
You can test your knowledge by identifying which of 10 emails are legitimate or phishing here https://www.phishingbox.com/phishing-iq-test/quiz.php
Especially when we are busy, rushed, tired or distracted, we still need to pause and think before you click on a link and enter your password.