If you’re reading this, you may have spotted March’s test phishing email! This email was sent as part of the Secure UD “Take a BITE out of phish!” campaign, a University initiative to raise our community’s awareness about phishing attacks, their consequences, and how to avoid becoming a victim. Each month, a random sample of employees will receive a harmless test phish like this one:

Sample phishing email with important points indicated.

Let’s see what makes this email so questionable:

  1. Check the sender. If the “from” address is unfamiliar, take a few extra moments to carefully examine the contents of the email message. This email comes from “druse@workportal.email.” Does that sound like anyone you work with or know? If the email is truly coming from the University, the address should end with “@udel.edu.”
  2. Read the subject line carefully. More targeted phishing attempts (called “spear-phishing”) will try and use a generic subject like “are you there?” or, in this case, “are you available?” to increase the chances that you will respond. Read a recent Secure UD article on spear-phishing if you wish to learn more about this problem at the University.
  3. Using your name does not equal legitimacy. Phishers may use your name in order to appear legitimate. In doing so, they are hoping you will comply and provide the information they seek.
  4. Don’t click links within a suspicious e-mail. Take a few extra seconds to check the link by hovering your mouse over the link to see the full URL. For some mobile email clients, clicking and holding the link reveals the full URL as well.
  5. Don’t be pressured by a sense of urgency. Cyber criminals may use threats or a false sense of urgency to trick you into acting without thinking. If an email threatens you with consequences for not doing something immediately, step away and take a moment to think it over. If you’re truly concerned, contact the company or sender separately to verify the email’s contents.
  6. Don’t be blinded by official names or logos. Many criminals will use “scraped” logos and branding from a company or university’s website in order to make their emails appear official. For example, this email actually uses scraped UD branding! While some of the branding in this email is legit, there are other factors you should consider when determining whether an email is a phish. No legitimate entity will ever ask you to confirm this information over email.
  7. Check the contact information. Who’s this email really from? In this case, the email is signed from Davin Ruse. Have you heard of this person? If the name seems unfamiliar, a good way to separately verify the sender’s identity is to look the name up in the UD Directory to see if the individual is employed at UD or even contact the alleged sender directly through a more verifiable method like a phone call.

Always exercise caution; if you receive a suspicious request for your payment information, instructions to visit a suspicious website, or download a suspicious attachment, forward the message to reportaphish@udel.edu.

And as always, Think B4 You Click!