This semester we decided to simulate a phish from a spoofed haverford.edu domain user, which can occur if a compromised account is used in the phishing campaign, or the phish is coming from a very sophisticated attacker.
For the Staff and Faculty, this message claimed to be HR with a free gift asking for home address verification. For the Students, this message claimed to be a job posting. The results of both groups have improved since the Spring semester, with only 19.6% of Staff / Faculty and 7.6% of Students clicking the links or replying to the email.
In both of these emails, the “From” claimed to be a haverford.edu account, but the “Reply-To” was from an account in another domain. Remember when receiving an email, always do the following to verify its authenticity.
- Check that the From and Reply-To are both accounts you know and trust. If they don’t match, then be more suspicious about the email.
- Mouse over any links in the body of the email and check where it is sending you. If you are on a device that doesn’t let you preview a link before clicking on it (such as a phone), wait until you are on a device that does allow you to check before clicking.
- Ask if the email wants you to do something urgently with the threat of consequences if you do not. A phisher is hoping you will make a hasty decision based on emotion before you question it.
- If you are being asked to supply a username or password, check the URL of the site you are entering this information into. If you don’t recognize the URL, don’t supply this information. If you use a password manager in your web browser and it didn’t automatically fill in this information, that is a good indication you are likely on a fake login screen.
We have also had reports of attackers attempting to bypass our two-factor protections. At Haverford College, we use Duo as our two-factor authentication solution. Duo provides several ways of meeting a second authentication factor, such as push notifications or one time codes sent via SMS. DO NOT approve a Duo authentication unless you specifically are trying to log in.
If you are required by a login page to provide a different form of two-factor authentication than you are used to it is likely you are using a fake login page. Check the URL of the page and if it is not something you recognize, do not provide this information and report the incident to IITS immediately. It is also important that you do not authorize any push notifications for logins you are not currently attempting. If you see a push notification for a login and you are not currently trying to access a system, deny the request and contact IITS immediately.
As always, if you ever have any questions regarding the validity of an email please contact the IT Service Desk!