IT and Library Services

Phishing, spam & social engineering

We all rely heavily on email, both at work and in our personal lives,  Because of this, email has become a common means of cyber-crime: An email is a direct route to you with harmful content only a click away.

Phishing

E-mail or instant messaging, purporting to be from banks and building societies, popular social networking websites, auction sites, online payment sites or IT administrators are commonly used.

Phishing e-mails often contain links to websites that are infected with "malware" malicious software used to gather sensitive information such as passwords

Phishing usually takes place through spam e-mails sent to millions of addresses.  The e-mails fall into two broad categories: those which offer something that sounds too good to be true or those which urge you to update security information threatening account closure or suspension if you don't comply with them.

Both types direct you to fraudulent sites with the specific intention of getting you to supply personal information which then can be used for illegal purposes. This can be done by either accessing your accounts directly or pretending to be you in order to steal goods and services (which you are then liable for!).

Phishing attacks are not restricted to e-mail, they can also be sent by instant message and text but they will still direct you to enter your information (password, bank details, date of birth, security information, etc.) at a fake website which may look and feel entirely genuine.

Every year, we receive a number of calls from people who have passed over their personal details in response to these types of requests - to make sure you avoid the inconvenience and distress this can cause, please read on!

You can often tell a phishing e-mail because:

  • the sender's e-mail or web address is different to the genuine organisation's addresses
  • the e-mail is sent from a completely different address or a free web mail address
  • the e-mail does not use your proper name, but uses a non-specific greeting such as 'dear customer'
  • the e-mail threatens that unless you act immediately your account may be closed
  • you're asked for personal information, such as your username, password or bank details
  • the e-mail contains spelling and grammatical errors
  • you weren't expecting to receive an e-mail from the company that appears to have sent it
  • the entire text of the e-mail is contained within an image rather than text format
  • the image contains a link to a bogus website

How can I spot a phishing website?

  • You may be able to tell a website isn't genuine because:
  • The website's address is slightly different to the genuine company's
  • There are spelling and grammatical errors on the page the site isn't secure.
  • A genuinely secure web address where you're being asked to send sensitive personal information should always start: https://. Websites that start http:// aren't secure.
  • The padlock for secure sites isn't in the website browser, at the top or bottom of the page.

Padlock security

Is it really a 'secure site'? If you visit a secure page you will see the URL change from http:// to https:// and the Secure Sockets icon (the small padlock) appear in the address bar. Some phishing sites will include this on the page but often get the position wrong: it should be at the top (or bottom) of the browser, in the browser, not on the page itself.

Only valid certificates issued by approved authorities are trustworthy.  If you're still unsure, check if the name on the certificate matches the name of the company behind the website.

What happens if I reply to a phishing e-mail?

If you give away your password, the criminals will have access to e-mail and other University services.

Your e-mail could be read, deleted and replies to junk mail could fill up your inbox.

If you give away other information such as personal data this could be used to commit theft and fraud using your identity.

Your identity could be used to falsely take out loans, or credit cards in your name.

False identity documents in your name may be created and used by criminals and you could be held responsible for their actions.

What happens if I click on a link in a phishing e-mail

If you click on a link in a phishing e-mail you may be taken to a fake website which will try to get you to input personal information such as your username and password, or other personal data such as your date of birth.

If you give away your password, the criminals will have access to e-mail and other University services.

If you give away other information such as personal data this could be used to commit theft and fraud using your identity.

I have received an e-mail telling me my account was over quota and I needed to provide my password, is this genuine?

No!

IT and Library Services (ILS) NEVER lock you out of your account or require you to provide your password if you are over quota!

You do receive an e-mail warning that you are approaching or reaching your mail quota.

When you reach your quota you won't be able to send or receive e-mail, or save any new or changed files, but you will still be able to login and see your e-mails and documents.

You need to either delete or archive some e-mails before your service will return to normal.

Spam

We have taken action to reduce the amount of junk mail you receive, but it is not possible to stop it completely.

The most important advice we can offer is never to reply to the message. This only serves to inform the sender that your e-mail account is valid. The sender will have sent the message to thousands of e-mail addresses, a great deal of which will no longer be in use. Don't let them discover that your e-mail address is valid.

What is the University doing to combat spam?

Our system is already stopping a large number of unsolicited e-mails or marking them as possible spam. You may have received messages with "[SPAM?]" before the subject line or found e-mails being delivered to the "Junk E-mail" folder in Outlook. This is our system attempting to identify unsolicited e-mails for you. However, as yet the technology does not exist to accurately identify spam 100% of the time. Therefore, the system will not block some messages in case they are genuine. The contents and sender of e-mails differs so widely that it is not feasible to apply a general rule which will reliably stop them without the risk of throwing out genuine messages in the process. We are constantly improving the efficiency of the spam detection systems we use, but there will inevitably be some unwanted e-mails that still get through.

What can you do about it?

The solution is simply to delete the messages. However, if you are receiving spam from a university e-mail address (an address ending in "@gre.ac.uk" or "@greenwich.ac.uk") then you should notify the IT Service Desk as soon as possible

There has been a big rise in the quantity of Spam e-mail recently, while the university employs methods to protect staff and students, it is still wise to remain vigilant to the threat posed.

Hoax

This can include:

  • A 'helpful' warning about a virus (fake) and quite often from someone 'once removed' (e.g. '..this happened to a friend of mine and I was so concerned that I thought I should let you know....').
  • Offering a free gift, voucher or cash for forwarding the email (these can also be pyramid schemes that promise unfeasibly huge amounts of money if the message is forwarded to enough people).
  • An emergency request from a charity: these are more prominent after genuine disasters, so if you do want to make a donation, don't click on any of the links within the mail, go to the charity directly. Use Google or Yahoo to find the genuine website.
  • An appeal on behalf of someone who is ill or in trouble (stranded far from home with lost documents and no cash).
  • Straight-forward chain letters.
  • Malicious emails that damage the reputation of an individual

What can you do about it?

  • Be vigilant: common features of hoax emails include:
  • A request to forward it on to multiple people.
  • Claims which sound realistic but which you can't confirm.
  • Exaggerations and urgency: 'the WORST ever' or 'act NOW or lose out FOR EVER!!!'.
  • Name dropping which can't be confirmed: 'Angelina Jolie & Brad Pitt/Top international bankers rely on this every day....'.
  • Emotional manipulation 'Need cash? Make £1000 in 2 hours', 'A small child is desperately ill and only you can help'.

Keep them to yourself:don't forward any of these types of email, just delete them.

Ignore them: If you receive one from someone you know, just ignore it or maybe even point them in the direction of a reputable source of advice about hoax emails.

Social engineering

These are techniques which trick you into supplying information for fraud or system access BUT they aren't restricted to the online environment and are just as likely to come to you via a telephone call or even a face-to-face conversation (e.g. a telephone call from someone impersonating a technical support agent, an 'IT technician' asking you to log on to their machine with your details).

In some instances the smallest piece of personal information can be used to give an air of credibility to these individuals (e.g. a date of birth, details of school attended, workplace) and the increasing popularity of Facebook and the naivety of many users when publishing personal information about themselves, has been a source of information for fraudsters looking for information to gain them a 'foot in the door'.

What can you do about it?

Publish at your peril: Think about all the information you have published online: via Facebook, Twitter or your own personal web pages, also consider what is published about you in staff or club membership profiles which are created or posted on line. Review what's there (try 'Googling' yourself to check if there are any listings for you that you didn't know about or remember) and make sure personal details are either removed or only visible to those who actually know you.

Don't be afraid: It's ok to challenge anyone who requests personal information by phone, email, text or face to face: genuine individuals will understand and won't mind. Fraudsters rely on our reluctance to stand up and query their legitimacy or to refuse a polite request.