Scams: Phishing and Other Fraudulent E-mail

Spam is irrelevant or inappropriate messages sent on the Internet to a large number of recipients. Items on this page are more malicious than receiving spam.

What is Phishing?

Phishing Drills Scheduled Dec 4-8, 2017E-mail accounts are easy targets for a wide variety of fraudulent communications for scams (such as fake job opportunities) and phishing (emails asking you to reply or taking you fake websites to obtain your credentials). While our e-mail filtering services prevent many of these from reaching your Inbox, some do make it through.

There is also "Smishing" for SMS (text messages) and "Vishing" for voice calls.  Beware of portal media also, such as USB devices or flash cards which could be infected with viruses.

The University is required to conduct continuous awareness training events.  On-going phishing drills will be ran through out the year, so be on your toes! Don't click the link!  Don't answer the text message.  Hang up on the fraudulent caller.  Do not plug that thumb drive you found into your computer!

Don't Click the Link!

UW-La Crosse has a great video on "Don't Click on the Link" that helps to illustrate some of the methods we describe below.

Recognizing Phishing E-mails

Phishing e-mails are messages designed to obtain your account credentials.  Once the sender has obtained your credentials, they're most often used to send out junk mail, though in some cases the logins have been used to obtain access to identity information.  These usually have one or more of the following properties:

  • Bad spelling and/or grammar - official e-mails are usually reviewed by multiple people prior to being sent to ensure proper spelling and grammar.
  • Links to click to log in - legitimate e-mails sometimes contain links to a login page, but more often will link to a page with more information. You can often hover your mouse pointer over an e-mail link in a message to gain additional clues; your computer's web browser should display the actual link destination either near the link or in its status bar.  If you unsure are whether the message is legitimate, please check with the purported source or with DoTS before clicking a link in the message.
  • Threats - phishing e-mails usually contain a time-sensitive threat regarding your account access. While DoTS does send notices regarding account access, the notices do not offer the opportunity to avoid access loss.  See the list of related articles on this page for more information on when Falcon Account access is removed.
  • Faking/spoofing legitimate branding or logos - phishing e-mails and websites sometimes contain legitimate-looking graphics.  Most legitimate official e-mails do not contain branding. If you are on a page asking you to log in with your Falcon account credentials, verify the web address in the URL bar starts with a uwrf.edu address such as https://idp.uwrf.edu/ or that you were sent to the login page from a legitimate uwrf.edu site.

If you question whether an e-mail or login page is legitimate, please contact DoTS.  We are happy to answer questions about the legitimacy of a questionable e-mail or website.

Recognizing Scam E-mails

Scam e-mails encompass a wide variety of fake opportunities:

  • "Old-Fashioned" Fraud Schemes (some of which predate e-mail): bogus business opportunities, chain letters, work-at-home schemes, health and diet scams, easy money, "free" goods, investment opportunities, bulk e-mail schemes and "guaranteed" loans. As with many things, if it's "too good to be true", it probably is not legitimate.
  • Bogus Job Opportunities: opportunities which promise you a great deal of money with very little effort, including phrases like "work only hours a week", "set your own hours" and "work from home".  Once contacted, these employers may contact you to obtain financial information under the guise of setting up payroll. While some job opportunities may be legitimate, it's always better to be safe than sorry, particularly when your bank and/or identity information is involved.  Never provide banking information, your social security number, or ID information unless you are certain it is for a legitimate reason. Often times, bogus job opportunity e-mails contain wording including “money transfers”, “wiring funds”, and “cashier’s checks”.  Be cautious if a contact e-mail address does not utilize a primary domain.  For example, an employer named "Omega Inc." with a Yahoo! e-mail address is suspicious.  Grammar and spelling errors are also red flags that an opportunity may be a scam.  Contact Career Services if you have questions about a job opportunity.
  • Health and Diet Scams: these scams prey on insecurities some people have about the state of their well-being. They attempt to lure customers with promises of quick fixes and amazing results, discounted pricing, fast delivery, waived prescription requirements, privacy and discreet packaging. These scams may contain phrases similar to "reduce body fat and build lean muscle without exercise", "takes years off your appearance", and "gives energy and burns fat".  Though they may seem to be backed by customer testimonials, beware: the products don't work.  Contact Student Health Services or your doctor if you have questions about health offers.
  • Discount Software Offers: these offers may offer popular and expensive software at low prices.  As a student or university employee, you have access to software discounts through a number of avenues, including WISC, Microsoft Office 365 and the University Bookstore. There are a number of easy-to-find legitimate retailers online as well. If you have questions about an offer, please contact DoTS.
  • Advanced Fee Fraud (419/Nigerian Scams): these schemes are quite elaborate and despite their somewhat preposterous appearance manage to hook a surprising number of victims, enticing them into a bogus plot to acquire and split a large sum of cash.  These messages often request urgent response and may reference African locations or nationalities. There are thousands of variations of these messages, but in short if you receive an e-mail proposing an arrangement to secure and split funds in a foreign land, you can safely assume it's a scam.

Related Sites

Results of Past Phishing Expedition Results

The University is required to conduct continuous awareness training events.  On-going phishing drills will be ran through out the year, so be on your toes! Don't click the link!  Don't answer the text message.  Hang up on the fraudulent caller.  Do not plug that thumb drive you found into your computer!

April 2018 Student Phishing Campaign

A phishing campaign that was coordinate with the University Police department was performed with emails sent between April 19 and April 26, 2018.  The cut-off date for clicks and statistical review was May 6, 2018.  As with all phishing campaigns a hit rate of 0% was the desired number.  Unfortunately, the hist rate was 1.35% with 1.31% clicking on the link in the email (which then received the landing page for education) and 0.06% replied to the email.  Of the 7 replies, 4 were actual personal information provided and the other 3 were automated or duplicated emails.  The 4 individuals that replied with their personal details received an educational email from the Chief Information Security Officer to inform them about phishing.

Metric Group

Metric

Count

Opportunities

Engagement Percent

Metric Description

Outbound

Emails Sent

11,370

11,370

100.00%

The # of emails sent by PhishLine mail servers.

User Response

Activity Detected

154

11,369

1.35%

The # of emails where any type of activity was detected e.g. Clicked Link, Viewed Image, Reply.

User Response

Clicked Links

149

11,369

1.31%

The # of emails where the user clicked on a landing page link or interacted with a smart attachment.

User Response

Reply Received

7

11,369

0.06%

The # of emails where the user sent a reply.

Inbox

Out of Office

3

11,369

0.03%

The # of emails where the user sent an automated Out Of Office response.

 

Email Sent Landing Page
Screen shot of the email sent to the students Screen shot of the landing page students that clicked viewed

 

December 2017 Faculty & Student Employee Awareness Training

(PDF version)