Email spoofing and impersonation scams

Tags Security

Email impersonation scams are on the rise at U-M. LSA Security has received reports of scams that appear to be sent by key individuals, like Deans and Department heads, or even the university itself. The bad actors are able to achieve seemingly realistic emails through the use of email spoofing.

What is email spoofing?

Email spoofing is the forgery of an email so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a popular tactic used in phishing and spam campaigns because people are more likely to open an email when they think it has been sent by a legitimate or familiar source.

The intention of the attacker is to trick their victims into:

  • Clicking on hyperlinks to take over the victim's computer and/or steal user credentials
  • Opening a file attachment to install ransomware or other malicious code on the victim's computer
  • Making money transfers, or paying fake invoices
  • Purchasing gift cards and transmitting the claim code on the back

A common tactic scammers use is to send emails using the display name of someone within the organization and an external email address. Some users won't notice that the email didn't come from the user with the display name and deal with the email as if it was genuine.

Example: Mark Schlissel <markschlissel@gmail.com>

Other methods rely on tricking the eye by using a domain name that looks like a trusted source. Purchasing domains that are similar to the ones impersonated is a common strategy that is often used in phishing attacks.

Example: U-M Benefits Office <official@universityofmichigan.com>

U-M email will always come from the @umich.edu domain. These types of attacks are especially successful when viewed on a mobile device since most phone-based email programs don't allow users to hover over links or to see the full email headers.

Recognizing an email impersonation scam

From: Anne Curzan [acurzan.umich.edu@gmail.com]

Subject: ARE YOU AVAILABLE
To: [Your email address]


Are you available? I need your assistance urgently.

  1. Check the "From" address line in the email. If you receive an email from a sender that you may be familiar with, always remember to check the "From" address line to make sure that the email is coming from a legitimate source. U-M email will always come from a umich.edu address. If viewing the email from a smartphone and you have suspicions of where the email originated from, open the message up in an email client on your computer to view the email domain name.
  2. Beware of urgent language. These emails oftentimes come with a sense of urgency. Phishers in particular tend to use this, attempting to elicit panic in their victims. A frazzled and fearful victim can be more apt to follow instructions in the email.
  3. Look for generic language. Scam emails often contain generic language and/or greetings that could apply to anyone receiving the message.
  4. Be careful of unexpected, out of character emails. When receiving a message, ask yourself if this is normal communication from the sender by confirming that the wording and signature of the message is consistent with other emails from the same sender.
  5. Avoid clicking suspicious links or downloading suspicious attachments. Cyber-criminals will usually create a spoofed webpage where you will be directed to enter your credentials or bank account information.

Additionally, learn how to read and understand email headers to view who the message was really sent from. An email header is a block of information about the message that includes the sender, the recipient, the date, sending and receiving time stamps and the servers that handled the transfer of the message.

Reporting email scams

If you think you've received a spoofed, scam, or phishing email, please take the following steps:

  1. Forward the email—with full email headers if possible—to ReportPhish@umich.edu, and use the "Report phishing" feature within Gmail to flag the email as malicious.
  2. Students who have not already done so are strongly recommended to turn on two-factor for Weblogin (Duo). Use of Duo with Weblogin stops an attacker who has your UMICH password from logging in to Wolverine Access, your U-M Google Mail, and other U-M services that you log in to via the Weblogin webpage.
  3. If you feel your account may have been compromised, update your password by calling 734.764.4357 (4-HELP) or visiting password.it.umich.edu.

You can learn more about phishing and email scams by visiting the Safe Computing website.

Alert email contacts

If you learn you have been a victim of an email impersonation scam, it's never a bad idea to alert students, colleagues, and friends that these emails are fraudulent, and provide a few steps on how they can report the emails if they receive one. Below is an email template you can use to send out in the event of an email impersonation scam:

Hello,

I've recently learned that a scammer is attempting to impersonate me through email. Please know that any email from me will always come from <your @umich.edu email> and that I will never ask you to purchase gift cards or email me your passwords. Feel free to get in touch with me through other means if you're ever unsure if my email was legitimate.

If you receive one of these emails in the future please forward the email to ReportPhish@umich.edu and then use the "Report as phishing" feature in Gmail, if possible.

For more information about email scams, please read https://teamdynamix.umich.edu/TDClient/47/LSAPortal/KB/ArticleDet?ID=1755.

Thank you!

Details

Article ID: 1755
Created
Wed 5/27/20 10:44 AM
Modified
Thu 10/1/20 10:28 AM