University inboxes have received approximately 250,000 malicious emails since a phishing attack started over the weekend — and these were just the ones that made it through automatic filters. These emails are part of an ongoing phishing attack against Metropolitan State University of Denver, where an unknown actor is using fake or compromised email accounts to send messages with malicious file attachments to as many people as possible.
The goal, as with any phishing attack, is to trick unwitting users into giving away things of value — either by opening a malicious attachment that gives the attacker access to the victim’s device or by replying to the message and prompting the attacker to ask for information or money under false pretenses, said Mike Hart, MSU Denver’s chief information security officer.
The good news is that many users have correctly identified and reported these messages as malicious, with over 1,000 reports alone from the last wave of the attack. Unfortunately, some users have fallen prey to the attack, with some having compromised their social security numbers and others outright losing money.
“It’s important to remember that the human element can be the most vulnerable part of cybersecurity, but with a little knowledge and a careful eye, it can be as robust as any security system,” Hart said.
How to identify a phishing email and tips to keep yourself safe
An email arrives in your inbox from an unfamiliar sender. The subject line is vague or generic, and the body of the email is empty, except for a notice from MSU Denver’s email server informing you the message came from outside the University. There is an attachment, but the name of the file is as unhelpful as the subject line. What do you do?
- Verify the source of the email before replying or acting on any instructions, especially when money or personal information are involved.
- An “official” message coming from a non-official email domain (e.g. from gmail.com instead of msudenver.edu) is a major red flag.
- Whenever possible, verify the source through a separate, non-email channel.
- Don’t open unrecognized links or unexpected attachments.
- Give extra scrutiny to any messages that are urgent, alarming, poorly written or too good to be true.
- No legitimate organization will ever ask for your password.
- Do not give your social security number or other sensitive data as part of a job offer without being confident in the legitimacy of the receiving organization.
- Be wary of emails that ultimately request you to deposit checks — these are almost always fake.
If you determine you’ve received a phishing email, don’t worry — you’ve already done the hard part. Phishing emails can be safely deleted, but you should report the message and consider blocking the sender.
Report a scam or get help
The Information Technology Services Knowledgebase provides instructions on how to report malicious and junk email, as well as additional information on how to protect yourself from phishing scams. If you’ve opened any attachments or links, replied to an email, or otherwise believe you’ve fallen prey to a phishing scam, you should also report the event to ITS for review and assistance.
