In 2017, we learned that former Vice President Mike Pence had a personal AOL email account compromised while he was governor of Indiana. You can read the story in the Wired article The Golden Age of Email Hacks Is Only Getting Started. A phishing attack was used to compromise then Governor Pence’s email account. Phishing and whaling (a phishing attempt with a specific high-profile target) are probably the most common ways to compromise an email account. Phishing is an attack in which the person performing the attack is trying to obtain sensitive information (such as login credentials) through a deceptive email. Since 2017, the number of phishing attempts has dramatically increased, and that is true at SBTS too. These attacks are often disguised as links to sensitive information hidden behind a deceptive login page or an email attempting to manipulate your emotions into doing something where the culprit can compromise you further. The purpose of this article is to help you spot the phishing attempt before you become a victim.

Does it make sense that you should have received this email?

To spot a phishing attempt, the first step is to ask, “Does it make sense that I received this email?” Imagine that you are a part-time employee in Event Productions at SBTS. You receive an email from the VP of Finance urgently requesting that you review a budget discrepancy with a link to a Google Sheet. Stop and ask,

Do you normally receive emails from the VP of Finance requesting that you review budget discrepancies?

In that role, you probably do not, so it was either a legitimate email from the VP of Finance sent to the wrong person, or else it is a phishing attempt. In either case, the right thing to do would be to notify the sender of the error, which allows the sender to send the email to the correct person, or it at least raises awareness to the phishing attempt.

Be Wary of Emotional Language

Attackers will often use human psychology to make their phishing attempts more successful. By triggering certain emotions like urgency, fear, or curiosity, a person is more likely to respond to an email or take action directed by the email. The following are some examples:

1. Urgency

The attacker claims to be someone in leadership that asks you to buy electronic gift cards for them because they need them for an event that same afternoon and they do not have the time.

2. Fear

The attacker claims that they hacked your computer and request that you pay a ransom or else the attacker will reveal some embarrassing secret about you to all of your contacts.

3. Curiosity

The criminal sends a seemingly mistaken email to you with a Dropbox link to a file titled to spark your curiosity like “Employees to be Terminated.xlsx” that redirects to a fake login page where they can capture your username and password.

Where Does the Link Really Take You?

Most people do not go to websites by typing in the address. Whether from a Google search, a link on social media, or a link in an email, most people follow links to get to websites. When an email from someone you do not know has a link in it, pay close attention to where the link is redirecting you. To decipher a link, look at the following example from an email that claimed to be sharing a file via Google Drive:

https://dl.dropbox.com/google.com/drive/share/234kjh2348fwejkh.doc

The first step is to drop the “http://” or “https://”. It is not uncommon for a phishing attempt to use a page hosted on Dropbox, Google Drive, or another service that can serve webpages from within a shared folder, so just because the link starts with the secure protocol “https://” does not ensure that it is a safe link. After dropping the “http://” or “https://”, we have

dl.dropbox.com/google.com/drive/share/234kjh2348fwejkh.doc

Next, look for the first forward slash (“/”), and drop that forward slash and everything after it. In this example, the first forward slash occurs after the “dropbox.com”. By dropping everything that follows “dropbox.com”, the link is reduced to

dl.dropbox.com

This will now break down into words separated by periods. Working backwards, the last 2 words with the period in between them is the actual domain. In this example, the actual domain is

dropbox.com

While the original link included “google.com/drive” in the path, which might cause someone to think this is going to Google Drive like the email message claimed, the link would actually redirect the recipient to a page hosted on Dropbox. This example was taken from an actual phishing attempt that Campus Tech investigated.

Look for Anomalies

Phishing attempts can be really deceptive, and that deception is only increasing in its sophistication. If you miss the signs and do click on a link in a phishing attempt, there are still some signs that can indicate that the page you landed on is not real. Consider a deceptive Google Drive share link that redirects you to a fake Google login page.

  • Does the page look like the normal page Gmail login page, or does anything on the page appear slightly off such as misaligned images or incorrectly spelled words?
  • If you are already logged into Gmail in your web browser, then you shouldn’t need to log in again to access Google Drive. Why are you being prompted to login again to access this particular file?
  • If you have Two-Factor Authentication turned on for your Google account, then why weren’t you prompted for the code or to verify the login in the Gmail app?

If there is any clue that the page you are on may not be the real Google Drive login page, close the tab or browser and back out. Then report that email as Spam within Gmail. If you are still unsure, you can forward suspicious emails to campustechnology@sbts.edu and we can investigate it for you.