Chances are you’ve received emails that appear to be from legitimate companies telling you your account has been suspended and you must log in immediately. Or providing you a link to tracking information for a package you didn’t order. These emails are usually phishing scams. Phishing is the fraudulent practice of sending emails pretending to be from reputable sources in order to steal passwords or sensitive personal or financial information, or to install malware on the target’s computer.
Unfortunately, MIT community members are popular targets for these sometimes difficult-to-detect scams. The best defense against phishing attempts is to not click on links or download attachments in any email that you weren’t expecting, even from someone you may know.
A very real threat
Email attachments and downloads from malicious websites are the top two malware delivery methods. Security firms estimate that 30 percent of phishing emails are opened, with a 10 percent chance that a phishing email will succeed in either stealing sensitive information or installing malware.
These emails are successful because they manipulate our sense of urgency, fear, curiosity, greed, and desire to please. It’s common for attackers to make it seem like the message is coming from the IT department of your school or employer, your manager, friends, or companies that you do business with.
In the past, phishing emails were easy to identify because of poor spelling, grammar, or formatting. Now attackers are employing increasingly sophisticated methods, using hypertext markup language (HTML) to mimic legitimate email and login pages.
Some users at MIT have been targets for “spear phishing” attacks, where scammers use freely available information to craft an attack just for you. They might spoof your manager’s email address, or send a malicious attachment related to your job role or field of study.
Proceed with caution
No one at MIT will ask you to send your password via email. If you need to reset your MIT Kerberos password at any time, visit ca.mit.edu/ca/cpw.
IS&T asks that you please report all suspicious emails to firstname.lastname@example.org so our Security team can improve the Institute’s spam filters and block malicious senders and links. Be sure to forward such emails as an attachment to preserve information the team will need to do so.
If a suspicious email looks like it’s from a friend, coworker, or business associate, you can verify the validity of phishy emails by contacting the sender. However, don’t reply to these emails directly. Instead of clicking ‘Reply,’ forward the email and type the address of the person you want to contact into the address field of your email client. Alternatively, reach out to the person another way, such as by phone, text, or chat.
Similarly, if you’re asked to click on a link to validate your account with a website, go to the site directly in a browser without clicking on the link in the email and login as you normally would.
Once attackers compromise an email account, they may try a technique known as “conversation hijacking.” If they find an email in your mailbox between you and a vendor, for example, they will reply to the vendor spoofing your address; they will also create a thread with your organization spoofing the vendor. Once they have two threads established, they can play man in the middle, using information from both sides to make the conversation appear legitimate and changing information, such as bank account numbers, to suit their needs. If a conversation seems strange, such as changing deadlines for payments or switching account numbers, don’t hesitate to verify its legitimacy by reaching out to the person or organization you think you are dealing with another way (forwarding to a known good email address, calling by phone, etc.).
See examples of phishing emails
An article in the IS&T Knowledge Base provides some examples of “phishy” MIT emails. Recent phishing emails targeted at MIT are often shared on the MIT Phish Bowl on Flickr, as well as on our Twitter, Facebook, and Instagram feeds.
Other ways to protect yourself
MIT's Information Protection website recommends tasks to protect low risk information which can help protect your devices and data from malware that might be spread through phishing. The tasks include: running running Sophos Anti-Virus and CrowdStrike secuirty agents, enabling automatic updates in your browser and operating system, backing up your computer regularly, and enabling operating system firewalls to protect your computer or laptop.
If you have questions about implementing these recommendations, reach out to your local IT support or the IS&T Service Desk. To report an IT security threat or incident, please contact the IS&T Security Team at email@example.com or IS&T Security.