In a world where phishing scams can come from anywhere at any time, whom can we trust? There are trustworthy sites and links, and there are sites and links that set off that little alarm in your head.

Some sites, like Google for instance, probably never raise those alarms. It’s Google, they would never lead anyone astray! Turns out, this common assumption is exactly what hackers rely on.

There’s a new, complex phishing email out there, and it’s been seen at over 20 companies and several universities. This phish is disguised under several layers of brand-name camouflage: Google Drive and FedEx.

Here’s how it works: An email arrives, disguised as an email from FedEx, claiming a package could not be delivered. The recipient is urged to click a link to print out a shipping label so the package can be picked up in store. Boom, Lebalcopy malware is downloaded and hackers are able to access private information and credentials stored on your computer.

This phish is pretty convincing due to the use of trusted name-brand logos. The scammers are hoping that potential victims might have ordered something recently, so will be more likely to open the email to see why their package wasn’t delivered. Then, because they want their deliveries, they’ll click on the link to print the slip without thinking.

It’s a pretty convincing phish. Even if the victim hovers over the https link, it looks like they’re headed towards a Google Drive account. Hackers know people trust Google’s name, https links, and the word “secure”, so they can reel in dozens of victims. But, why would FedEx direct people to a Google Drive link to print a shipping label? If recipients would take a moment to think about this phish and its link, they’d be much safer. If you receive email about a delivery and the links don’t go to the company’s website, don’t click the links. Instead, check on your delivery using vendor websites or phone numbers that you know you can trust.

If this phish or another suspicious email pops up in your UDel email, forward it to reportaphish@udel.edu before deleting it from your inbox. Then pat yourself on the back, you’ve identified a malicious email!

If you’ve fallen for a phish, or if you’ve noticed unusual downloads or activity on your computer, contact the IT Support Center. If you fell for a phish in your University email account, 2FA saved your butt and your password’s butt — but you should consider creating a new UD password anyway.

If you fell for a phish in an email account not protected by 2FA, definitely change that password! And if that account offers some form of multi-factor authentication, sign up for it! Using 2FA or multi-factor authentication adds that extra layer of security to your account so this situation won’t happen again.

Stay safe out there and trust your gut, not just flashy brand names!

And above all, Think B4 U Click!