This site requires JavaScript to be enabled

Email security | Don't take the bait! | Be smart, be sceptical, be secure

474 views

6.0 - Updated on 23-10-2023 by Alex Wylie Atmore

4.0 - Updated on 28-06-2022 by Alex Wylie Atmore

3.0 - Updated on 06-12-2021 by Alex Wylie Atmore

2.0 - Updated on 18-01-2021 by Alex Wylie Atmore

1.0 - Authored on 07-02-2019 by Kym Morris

In the digital age your personal information is important and as a result there are people with bad intentions who want to get at it - don't be a victim! Phishing is a common way to extract information from you through seemingly legitimate emails or web sites.

This article provides some information about Phishing, shows some common examples of the types of emails our staff and students receive, as well as providing simple steps to help you to be smart and sceptical and stay secure when it comes to working online. 

Definitions

What is Phishing?

Phishing is a cybercrime, whereby a target (or targets) are contacted by email, phone or text by somebody posing to be a legitimate organisation (such as Western Sydney University IT Support) to lure individuals into providing sensitive data such as;

  • Staff or Student ID (or other system logins)
  • Passwords
  • Personally identifiable information 
  • Banking or credit card details

This information is then used to access important or personal accounts and can result in;

  • Identity theft
  • Propagation of additional phishing attacks
  • Email blacklisting
  • Loss of productivity
  • Intellectual property or data theft
  • Financial loss.

You should avoid clicking on links, opening attachments or otherwise interacting at all with phishing email. Ignore it, delete it or report it.

What is Spoofing?

Spoofing is where an email address is altered so that it is displayed as through it came from another person. This is done by the sender manipulating the email header so that the display name is changed to something other than their email address. In the example below, the display name was someone who works with the recipient, but the address it was sent from was not a University email address.

Example spoof image - the 'from' address is not a University email address.

For more detail on this example, please see 'The bait' section below.

A related technique to spoofing is to have the false email address be similar enough that the difference may be overlooked. For example - ‘ITServiceDesk-westernsydney@gmail.com’ is not the University’s IT Service desk email (‘itservicedesk@westernsydney.edu.au’), but it’s using a similar enough email address that it might be overlooked.

What is Spam?

Spam email or Junk email can be considered any form of unsolicited or unwanted email and is usually sent in bulk. A spammer might typically send a spam email to millions of email addresses, with the expectation that only a fraction will respond or interact with the message. There are many forms of spam emails, some of which include;

  • Scams and Fraud
  • Malware, Ransomware, Adware, Viruses and Spyware
  • Advertising and Marketing
  • Online Gambling, Piracy and other Adult content

Not all spam is phishing – marketing emails, for example – but to be safe you should avoid clicking on links, opening attachments or otherwise interacting at all with email you weren't expecting to receive. Ignore it, delete it or report it.

 

The Bait, The Thought, The Response - Examples of Phishing emails and how to approach them

Whilst the complexity and craft of Phishing emails is constantly evolving (and unfortunately improving), there are some regular forms of Phishing that our staff and students receive. Unfortunately, they are effective because they tend to arrive at a time when we're flustered, busy or otherwise distracted. We don't look before we leap. After we've been duped, we think back to the exact moment and often shake our heads like "how did I not realise this was a fake".

Take a look at the examples below to see some of the common elements these emails contain, some questions you can ask yourself when you receive them and the appropriate response to take.  

The Bait - There is an issue with your account! You have a pending Notification! You need to click here - or else a consequence will occur.

These types of phishing emails try to warn you about an issue with your account, contain an "important message" for you that you need to login to a system to view (often a fake website designed to look like the real thing) or request you verify your login information because of a change or compromise to your account and will expire if you do not act immediately.
'Your incoming mails were placed on pending status due to the recent upgrade to our database, In order to receive the messages click here. to login and wait for responds from IT-HELPDESK. Thankyou' 
The Thought - "Would the University really send me a warning that threatens to deactivate my account or impact my emails if I don't take this action? Why can't these people spell? Why would they email me to warn me that my account was compromised?"
  • Neither the University nor any other organisation that cares about the protection of your personal, sensitive information would ever ask you for your password, driver’s license details, health information, or anything similar via email. 
  • Typically these sorts of emails are also riddled with spelling and grammatical errors. Treat anything claiming to be from a legitimate source, that contains plenty of errors as suspicious.
  • General emails from ITDS will be from an internal address (not any external source such as a random gmail or hotmail account).
  • If important account information was legitimately sent by the University, it is unlikely that it would contact a direct link to fix whichever problem it was alerting you about. Please report any University communications (legitimate or otherwise) you receive if you believe they look suspicious.
  • If your account is actually compromised or you suspect that it was, the best action you could take would be to contact the IT Service Desk by phone on (02) 9852 5111. 

The Response - "I don't trust this email, I'm going to investigate this manually, report it, delete it or ignore it".

  • If you want to confirm that your account is about to expire, manually navigate to the login page (don't use the link in the email) and check there. This applies to all University systems but also personal logins and websites - be smart!
  • Try typing the first few words of the subject or opening sentence of the email into a search engine and see if it is has been reported as a known scam. 
  • The legitimate password reset reminders from ITDS do not contain hyperlinks to the password reset portal, to avoid any confusion.
  • Report Phishing or otherwise suspicious emails to the IT Service Desk
  • Another simple trick that you can use to check a link actually goes where it says it will is simply to hover your mouse (or tap and hold on mobile devices) over it and inspect the destination website. Read links from right to left to see which domain they're really taking you to! This one goes to somewhere called skv-gmbh.live, a false domain that was likely setup to capture unaware staff or students. This video on our Cyber Security page covers this tip in much greater detail, check it out!

example scam email, showing masked URL

 

The Bait - There is an issue with your payment, your invoice is ready to view or your order has arrived. Download this attachment to find out more.

You receive an email with an attachment that you weren’t expecting. The email claims that the attachment is a bill, invoice, or similar. It says that you should download and deal with the issue described on the attachment quickly or there will be a consequence.

example scam email, claiming an invoice is unpaid and owing

The Thought - "Do I even have anything to do with this company or sender? Have I ordered anything from there recently? Could I verify this any other way besides clicking on the link in this email or opening this attachment?"

Invoices and bill scams are a tricky one because they target that part of our brains that straight away thinks "Uh-oh, I've messed up and forgotten to pay this...I better fix it before something happens" Don't put that pressure on yourself! Take a second and step back from the email and ask yourself some questions:

  • Do I have any business with this company? Was I even expecting to receive this email from "them".
  • If I do, was a bill even due?
  • If it was, did I pay it?
  • If I can't remember, how can I find out?
  • Can I ask a colleague if they received the same email? 

 

The Response - "I'm going to verify this some other way first, it's the safest thing to do"

If you have no business with the sender or the "company" they are claiming to be from (the sender address could be spoofed - which means made to look like it was sent from, but wasn't actually) then ignore or report the email and do not open the attachment or click on the link. 

If you do have business with this company but something about this email still feels off then there are a number of ways you can verify before taking any action;

  • Check with a colleague if they received the same thing - it could be a targeted or a widespread attack.
  • If you have a relationship with the sender, contact them through your usual avenues of communication, not by Replying to the email, to confirm that it was actually was sent by them.
  • Open the system which you use for ordering or payments manually and check if the information in this email lines up, if you don't see anything to do with the contents of the email, it was likely a scam.
  • Report Phishing or otherwise suspicious emails to the IT Service Desk
  • Never enable macros to run on attachments (Word and Excel Documents especially) you were not expecting to receive, these can often contain viruses.

example Word document with embedded Macro. A yellow popup appears stating "SECURITY WARNING Macros have been disabled", with a button to 'Enable Content'. ITDS-Security recommends against enabling macros on attachments you are not expecting.

 

The Bait - "You have just won an AMAZING prize! You have inherited a FORTUNE! Get back to me with your DETAILS so that you can CLAIM YOUR LOOT!"

You receive an email claiming that you’ve won fabulous prizes or have inherited some sort of wealth. All they need you to do is reply, click a hyperlink, download a form, or otherwise engage in a practice that would otherwise be highly suspicious.

 example scam email, claiming a relative of the recipient has left them a large inheritance 

The Thought - "This sounds too good to be true..."

Any email trying to offer you something for free should make you instantly suspicious. If you didn’t enter any competitions, drawings, or otherwise have reason to expect the email, you should actively assume it’s phishing (or at least spam). 

 

The Response - "I will report this and I won't reply"

Report Phishing or otherwise suspicious emails to the IT Service Desk

As tempting as it is to respond and 'mess' with the senders of these emails, don't. If they receive a reply from you, that tells them that you actively read and reply to email and might make you the target of further spam. The true nature next one you receive might not be so easy to spot!

 

The Bait - "This is your Boss, your Bank, your Internet Service Provider, your Government! I need you to do this - Get back to me right away, it's very important!

An email claiming to be from your bank, ISP, the government, or another legitimate source arrives, and contains all appropriate information (such as names – theirs and yours – and a case number or other seemingly valid ID). It can look legitimate, as images and advertising used by that organisation are part of the message. However, it asks you to perform an action that the organisation would ordinarily not do, and/or you weren’t expecting the email.

example scam email. Text reads 'Are you in the office? I have a request I need you to handle immediately, confirm your availability. Regards, P'.

example scam email. Text reads 'Are you available to handle an international payment this morning? Have one pending, let me know when to send back detail. Regards, John Smith'. 

The Thought - "Was I expecting to receive this? Is this a usual request? How can I find out if this is real or not?"

If you have not received this sort of request from this sender before, treat it as suspicious. Think about ways you might be able to verify that the request was actually sent by this person. 

 

The Response - "I'd better check this is real before I do something stupid!"

You can verify the legitimacy of a suspicious request in a number of ways, think of it as looking before you leap.

  • Contact the sender or organisation through your usual avenues of communication, not by Replying to the email to seek verification.
  • In the cases where the sender is in a high position at their company, check with their assistant.
  • Check the address that the email came from, if this really was from my boss and I work at Google, where all our accounts end in "@google.com", why is this email address showing as "@ec.rr.com"?
  • Report Phishing or otherwise suspicious emails to the IT Service Desk

example scam email, highlighting the sender's email address is from outside the University

 

  

 

Verifying Unusual emails

In some cases, you might receive a communication from a person you recognise, but coming from a different source than normal, or asking something unusual. For these occasions, it’s an excellent idea to verify that message using other channels of communication that have already been established. For example:

  • You’ve received an email that claims to be from someone you know, but it’s coming from a different address than usual (see also ‘email spoofing’ and the 4th ‘The Bait’ example above). You could use a telephone number you have saved (or available from a public source) to verify that they sent the email.
  • You’ve received a text message claiming to be from an organisation you know, but it’s asking for something unusual. You could go to that organisation’s website to find their official email address or phone number, and request confirmation that they sent the message.
  • You’ve received a message over social media or a messaging application that claims to be from someone you know, with an attachment or link in it. You could use a telephone number or email address you have saved (or available from a public source) to verify that the message was legitimate.

It’s noteworthy that in all of these examples you should avoid verifying a communication through direct replies. If a scammer has created a false email account, sending a separate message to that same email will just tell the scammer that you’re receptive to their tactics. Using a previously confirmed channel of communication, or details from an official public source is recommended.

And as ever, if you think you’ve received an unusual or unexpected communication at work with your University data, please report it to the IT Service Desk:
Web: http://MyIT.westernsydney.edu.au
Email: itservicedesk@westernsydney.edu.au
Phone: (02) 9852 5111.

Be Smart, Be Sceptical, Be Secure

Be Smart

  • Think carefully about the information you provide to third parties online. Your information should be protected at all costs and only released to parties who you trust.
  • Never provide a third party with your username or password. Your username and password are the keys to your digital kingdom and should be kept private. 
  • Any unsolicited contact promising money or prizes and urging you to provide details is more than likely trying to hurt you.
  • Think carefully before clicking on a link in an email you have received or a website you have visited. Things may not be what they seem; if in doubt don't click. Spam, for example, can look legitimate but may have been designed to carry malicious software or viruses that are designed to harm you or your computer by stealing sensitive information.

Be Sceptical

  • Be sceptical of get rich quick offers and calls for donations following a disaster that’s been in the news.
  • Be suspicious of anyone calling you offering to fix a problem with your computer. 
  • Don't submit or access sensitive information when using a public computer or accessing personal or financial information using an unsecured Wi-Fi location such as at a shopping centre or a restaurant. You don’t know who else is listening, who was there before you or what they have done!
  • Be sceptical of emails or websites claiming to be official, especially when the quality is not there. Spelling and grammar mistakes are normally a good give away!
  • Most importantly question anybody asking you to provide your username and password, your personal or financial details. Western Sydney University IT staff will never ask for this information!   
  • Report suspicious emails to the IT Service Desk.

Be Secure

  • Choose safe strong passwords. For help with your WesternAccount check the Password Management on the MyIT Portal.
  • Avoid reusing the same password. You can learn more about how to make a password safe and remembering it by visiting the Australian Cyber Security Centre website.
  • Consider using a password vault, though DO ensure that you read the terms and conditions of any specific product before making use of it.
  • Limit the amount and type of identity information you post on social networking sites. Don't put sensitive, private or confidential information in your public profile. It can be nice to receive a 'Happy Birthday' post on social media but your Date of Birth is a personal piece of information that can used maliciously to impersonate you, consider the risk of exposing it so freely.
  • Don't share personal or financial information about yourself, your friends or family unless you have initiated the contact and you know the other person involved.
  • Use a secure payment method such as PayPal, BPay, or your credit card when shopping online and make sure the payment or checkout page is secure (look for the Lock icon in your browser or 'https' at the front of the URL).
  • Never send your bank account or credit card details via email.
  • If an email contains a link, hover over it (or tap and hold on mobile devices) to see where it actually goes. This is a good habit to get into because Phishing emails often mask their links to hide the true destination.  

 

Links 

Revised by Alex Wylie Atmore
Last modified 6 months ago