Alert: Schulz Survey Phishing Scam

This morning CAHNRS IT sent out an alert regarding the “Survey from WSU President” email. This is the email I talked about on my Thursday” IT News & Updates” blog. but in just a couple of days, the responsible party has become smarter by dressing up the email to make it look even more “real”. Shown below is a side-by-side comparison of the same malicious email. Beneath that, I’ve included the text from the alert email sent out by Bill Booner with CAHNRS IT. They point out the telltale signs of this being malicious and reiterate what you won’t generally see in a legitimate WSU email.

Original email highlighting Phishing traits
More refined email

 

 

 

 

 

 

 

 

 

 

CAHNRS Alert email excerpt:

CAHNRS Colleagues,

 

Please be aware of the (above) malicous phishing email.  This email, crafted to look like an urgent survey request from Kirk Schulz was sent out to a large number of WSU employees and grad students.  The email was sent from the account of a WSU employee whose password was stolen.  You can tell that this is a phishing email by the following:

  1. The links are suspicious in that they don’t show the URL they take you to, and there is a link written in all capital letters.  Official emails will not contain links that hide the URL, or that are written in all capital letters.
  2. If you hover over the links you can see they take you to a non-WSU site (I changed the links to go to a fake URL, you should see http://suspicious.site).
  3. The email comes from a personal email account other than the purported sender.  Official communications from WSU leadership usually come directly from their account, or on their behalf by an official distribution list.  If you look up the employee whose account was used to send the message, you would see they are an engineering technician, and it doesn’t make sense for this message to come from that position.
  4. There are other signs as well, such as little slips of the grammar that are unlikely to be in an official message from WSU leadership.  However, the email also contained links to official web pages and mailing lists, making it difficult to classify as malicious just based on the grammar.

Please remember to be diligent when inspecting emails that you are not expecting, and that are asking you to click on links and perform actions as an employee.  It is likely that this phishing email will result in a few WSU employees passwords being stolen, which perpetuates the cycle.  You don’t want your email account to be used to send phishing emails to hundreds of your peers, so please be safe.

If you ever have a question on the validity of an email, please forward it to cit.support@wsu.edu and we can tell you whether it is legitimate or not.  Additionally you can directly report suspicious emails to abuse@wsu.edu.

 

Bill Bonner
Operations & IT
Washington State University
College of Agriculture, Human, and Natural Resource Sciences