Technical Note - Avoiding Phishing Attacks

Summary

Phishing attacks are attempts to steal computer usernames/passwords via Social Engineering. This technical note describes typical phishing attacks in more detail, provides tips on how to recognise them and explains why you need to protect your computer login details from being phished. Although the technical note refers specifically to your ECS/SMS account, most of the information here will apply to any other computer logins you have (ie: VUW SCS, VUW staff, online banking, etc).

Phishing attacks are relatively easy to spot since they usually match one or more of the characteristics detailed below. If you recognise one you may think it best to report it to us so we can warn others. Unfortunately there are way too many of these attempts for us to send out warnings about every one (it's not unusual for ECS technical support staff to receive three of four phishing attempts a day!). So unless there is something unique or particularly clever about an attempt (eg: it doesn't match any of the typical characteristics we list below) the best course of action is to simply ignore it. But if you feel a particular attempt should be reported you can do so by sending an email to jobs@ecs.vuw.ac.nz

Phishing Attacks in More Detail

Phishing attacks are most commonly seen in email, although other methods are possible including blog posts, social media services such as Twitter or Facebook and even phone calls, TXT messages or letters. They most often take the form of a request that you provide the username and password for a computer account you use in order to "re-validate" it. For requests that come via an electronic message there will often be a link that you can click on in order to do this. But the link will point to a fraudulent web page and if you enter your username and password details they will be recorded for later use by the attackers.

Another form of fake email is one that doesn't attempt to obtain login account credentials, but instead tries to directly scam the recipient. One very common scam is to send an email pretending to be someone the recipient knows. If the recipient responds they are told that the sender is busy but needs a favour such as purchasing gift cards for the sender, the cost of which will be reimbursed later. Of course the reimbursement never happens! The most obvious clue that this is a scam is that even though the name associated with the email address is familiar, the address itself is "odd". If you find yourself in an email exchange like this you should stop engaging with the sender until you verify by some other means that the email address genuinely belongs to the person you know.

ECS Will Never Ask For Your Login Details!

If you don't read any further through this technical note than this section you should remember this one fact.
The only time you will ever be asked to provide your ECS/SMS username and password is when you are logging on to one of our systems or services. We will NEVER ask you to provide this information in any other situation. If you receive ANY form of communication asking for your ECS login details (for eg: an email containing a link that takes you to a page prompting you to login) it is more than likely a phishing attempt and you should NOT respond to it.

Remembering this fact will greatly reduce the possibility of your ECS/SMS login details falling into the wrong hands.

If you are certain you will ALWAYS remember the above and that you'll never respond to any such requests you probably don't need to read the rest of this technical note. But if you don't think protecting your ECS/SMS login is important or if you want to learn more about phishing, read on...

Why Should You Care?

Your ECS/SMS computer account may not contain anything that you consider valuable or confidential so you may not care if your account is broken into and information is lost or stolen. But there can be other, arguably worse, consequences of your account being misused by others.
  • Often attackers will use your login account to generate further phishing or spam emails, denial of service attacks or other forms of electronic harassment. Any actions initiated from your ECS/SMS login may be attributed to you (since you are the only one who knows your password!). If those actions breach the university's Information System Statute or Student Conduct Statute there could be serious consequences for your employment or ability to study at Victoria University.
  • The attackers may be able to use access to your ECS/SMS login to break into other more valuable accounts that you use (ie: bank accounts, etc).
  • Any spam emails sent or phishing attacks launched from a compromised ECS account can overload ECS servers which may inconvenience other users. ECS systems can also be blacklisted by various spam detection services which may result in legitimate email being classified as spam and not reaching its intended recipient(s). Getting de-listed from these services can be a difficult and time consuming process for system support staff.

Phishing Attack Characteristics

Although phishing attacks vary in their sophistication, even the cleverest ones generally give themselves away in one way or another. Here are some common characteristics to look out for.
  • A generally threatening tone ("your account will be suspended") and/or a sense of urgency ("you must act immediately to avoid this").
  • Generic sounding names for services and/or people (ie: a message about your "Web Mail Service" rather than "The School of Engineering and Computer Science's mail server"; a message from "The IT Support Team"; or a message to "The Account Holder"). A genuine email from the ECS IT system support team relating to ECS/SMS computing services will be from a recognisable member of staff (check out the Technical Staff section of our web site if you're not sure who we are). And it will refer to services that are verifiably run by ECS. Also remember we are a school within Victoria University and you are (probably) a staff member or student at the university. So anything that refers to us as a "webmail provider" or to you as an "account holder" or "customer" should be treated with suspicion...
  • Bad grammar, odd capitalisation and/or poor sentence structure in the email. At least, we hope that any genuine email sent out by ECS system support staff will be better than typical phishing emails in this regard!
  • Suspicious Web URL's. For example, in an email asking for your ECS/SMS account details, URLs with domains (the bit between the "http://" and the next "/") that don't end in ecs.wgtn.ac.nz are almost certain to be fraudulent. And a URL path (the bit after the domain) containing text such as "ecs" or "vuw" isn't more likely to be genuine - it probably just means the attack has been specifically targeted at VUW or ECS/SMS staff and students! In many mail programs you can hover the mouse pointer over a link to see the URL that it points to. Before you click on a link you should think about whether the URL makes sense given the content of the email. But don't assume a genuine looking URL indicates a genuine email since sophisticated attacks can disguise the URL to make it look more trustworthy.
  • A web URL that takes you to a generic page that doesn't look like any on-line service you use (ie: no logos, different colours or page style, no mention of the organisation name, etc). But as with the previous item, don't rely solely on what a web page looks like when determining if it is genuine. Attacks that specifically target a particular organisation can use convincing copies of that organisation's web pages. For example. ECS has been targeted a number of times by attacks that provide a link to a fraudulent copy of our RoundCube web mail login page.
  • The reason given for needing to revalidate your account is often one of:
    • The account has exceeded it's disk usage quota but by revalidating your quota will be increased;
    • The account has been used for "suspicious activity" and you need to change the password to prevent this;
    • The account has been inactive and will be closed unless you confirm you still use it by logging on.
All phishing attacks we have seen to date have matched one or more (and frequently all!) of the above. But it's likely that as attacks become more sophisticated these characteristics may be insufficient for reliable identification and may need to be updated.

For example, if clever attackers are specifically targeting ECS they could find the name of one of our technical support staff and forge the email sender (contrary to what many believe, the From: header in an email is NOT a reliable indication of who actually sent the email). So one day you might receive an email from me (Duncan McEwan) containing (reasonably) good grammar and a plausible sounding request to change your ECS password to ensure continued access to ECS computers in the Cotton Building labs. The email might helpfully include a link that takes you to a web page where you can do this. Fortunately, whether or not it contains a link and regardless of how convincing it seems in other ways, you should still recognise it as a phishing attempt. That's because of what we said earlier: ECS will NEVER send you any electronic communication asking you to provide login and password details whether via a web link or any other means.

It is possible that in rare circumstances we may need to communicate with you in a way that you could think was a phishing attempt. For example, there might be valid technical reasons why we need to ask you to change your ECS/SMS password. But if we ever have to do this we will do everything possible to let you know you are not being phished. To start with we'll make sure that our request doesn't match any of the phishing characteristics listed above. We'll also provide other ways you can authenticate the message to reassure you that you are not the victim of a new super-smart phishing technique. If that's not convincing enough you can (and should) contact us personally for verification.

What If I Realise That I Have Been Phished?

If you enter your username and password into a web page and then realise you shouldn't have, you should change your password as soon as possible.

ECS provide a web page for doing this, but we can't provide a link or mention any domains or URLs to direct you there because we can't guarantee that you are reading a genuine copy of this technical note! A fake copy could provide a link or directions to a fake ECS password changing page! So the following (imprecise) instructions are the best we can offer. You will need to fill in the missing details based on what you know about the ECS, SMS and Victoria University web sites.

  1. Go to the ECS or SMS school home page. If you aren't sure what URL to enter for this, the home page for any ECS or SMS course should do. Or go to the main university home page and click on the "Faculties and Schools" side bar link and then on the "School of Engineering and Computer Science" link.
  2. From the ECS home page, click on the "Wiki" link. From the SMS home page click on the "Student Resources" link.
  3. Click on the "Technical Support" link in the sidebar and then on "Online Applications".
  4. You should now see a "Change Password" link, which will take you to the correct place.

If for some reason you can't do this, send an email to jobs@ecs.vuw.ac.nz explaining the situation. We will temporarily block access to your account until you are able to change your password.