Montana State University
IT Center Home > Tip of the Month: Shake Spear Phishing!

MSU IT Center

Renne Library Commons
P.O. Box 173240
Bozeman, MT 59717-3240
406-994-1777 | helpdesk@montana.edu

Chief Information Officer

Jerry Sheehan
jsheehan@montana.edu

Chief Security Officer

Rich Shattuck
rich@montana.edu

Tip of the Month: Help Us Shake Spear Phishing!

Security Tip of the Month graphic

To click or not to click: That is the question

  • You receive an email from FedEx informing you that there has been a problem delivering your shipment. You don‘t recall having shipped anything recently, but you do use FedEx frequently. The email includes a tracking number and a link that you can click to see the details. You click the link to get more information and your computer is immediately infected with a virus without your knowledge.
  • You receive an email from the MSU Helpdesk informing you that there has been an issue with your MSU account that they are attempting to resolve. To proceed, however, they need you to reply with your username and password. The email warns that failure to respond will result in the deactivation of your account. Not wanting to risk the loss of your account, you respond. The thieves that receive your response proceed to use your account, and through it other MSU resources, for criminal activity.

These are both examples of phishing attacks, official looking emails that try to trick you into visiting a fake website or into divulging personal information or passwords. More specifically, both of the emails above are examples of Spear Phishing attacks.

What is Spear Phishing?

Spear Phishing attacks are phishing attacks that target a specific group of individuals, such as the clients of a particular company, or employees of a certain organization. These individuals are perfect targets because they are accustomed to receiving emails from that organization and are quick to trust attachments or links if it looks like the company sent them. The spear phishing attacks will often include specific information about the organization to make them look more believable and to convince the recipient to click on malicious links, open infected attachments or reply with personal information or passwords.

How do I know if an email is legitimate?

Unfortunately it can be difficult if not impossible to know for sure if an email is legitimate simply by looking at it. Any emails requesting that you send them personal or account information such as a password is almost certainly a scam. No legitimate organization would request personal information through email, nor would any legitimate business ever ask you to provide your username and password over email. If there is any question about whether or not the email is legitimate you should contact the organization that appears to have sent the email.

If you ever receive an email claiming to be from MSU that asks you for your username and password, you should delete it immediately. You are the only person that should ever know your passwords. If you receive an email claiming to be from MSU that is asking you to open an email attachment or click on a URL and you weren‘t expecting the email, even if you know the individual that appears to have sent it you should confirm with them that it is legitimate.

What should I do If I receive an email that might be legitimate?

If you receive an email that you believe may be legitimate and you might need to act on, the only way to be sure you are not being taken advantage of is to close the email, ignoring all links, attachments or phone numbers included, and open your web browser to navigate to the website you know belongs to the organization and login that way or call the phone number you know is theirs to speak with somebody.

If you receive an email from MSU and you are not sure if it is legitimate, you can always contact the MSU Helpdesk at 994-1777 or helpdesk@montana.edu and they will be able to help clarify whether it is a valid email or not.

How can I send emails safely?

With all of the emails being sent trying to trick users, it is important to be thoughtful in how we send out communications to groups of people to avoid confusing them, or avoid getting them accustomed to clicking on links. Here are some things to think about when determining how to design and put together communications:

  • Develop a consistent look and feel. Users should be accustomed to what communications from you look like so that if they receive an email claiming to be from you that looks different, it automatically draws suspicion.
  • Greet users with specific information. Rather than using vague or ambiguous opening lines, greet the individual or group with specific information, such as their name or with specific references to the group.
  • Avoid including links. Instead of including links in your email, make sure that the information is available online at a place where they know to receive it. You can ask them to bookmark your webpage so that they can retrieve information from there quickly and easily.
  • Avoid attachments when possible. Make any files available to the user through a fileshare or through your website. That way, not only do they not get used to opening email attachments, but their inbox doesn‘t fill up as quickly!

Resources

FBI Webpage - http://www.fbi.gov/news/stories/2009/april/spearphishing_040109

Microsoft - http://www.microsoft.com/canada/athome/security/email/spear_phishing.mspx

MSU Helpdesk - helpdesk@montana.edu, 994-1777