Phishing continues to be one of the most highly utilized methods to gain unauthorized access to an organization’s network. Despite these persistent and varied attempts, these attacks have commonalities that can help you in identifying their malicious intent.
The sender of the email.
It’s important to first consider if the sender is expected. This can be random or sometimes “spoofed” to look like a known contact or, in some cases, to appear that the email was sent by you. Observe extra caution if you receive an email that contains your name and email address in the sender field that you can’t recall sending. In all these cases, something will often look “off” and can be identified by thorough examination and comparison to the format of the sender field in other legitimate organization emails. In the case of your name and email in the sender field, a quick check of your “Sent” folder can quickly verify if this was something you sent.
The subject and body of the email.
The first question to ask here is if the subject and the body appear to be something expected. Both will often contain grammatical errors and the body will either ask to click a link, open an attachment, or reply to the email or another email address regarding purchasing something, providing money or gift cards, giving personal information, or perhaps receiving giveaway items.
The link in an email.
If a link is provided in the email, it will often be regarding urgency with resetting a password, viewing or downloading documents, files being shared with you, or requesting to click or login in order to learn more about what’s being described in the body of the email.
The attachment in an email.
If provided, this will often be made to look like it relates to the subject and body of the email. It may look like a web browser file, a zip file with a password provided in the body of the email, a fax message, a receipt, or even a voicemail.
Emails with QR Codes.
A common tactic being used in recent phishing attacks is the use of QR codes that redirect you to a malicious website asking for your username and password. Be very cautious of any email containing a QR code that you were not expecting to receive. Always treat these with extra caution even if the sender is a known contact. There have been many cases of trusted, external contacts that have been compromised and then their email is used to send these phishing emails containing QR codes. Please refer to this VUMC Reporter article for more details on this.
Another important item to keep an eye out for is Multi-Factor Authentication (MFA) prompts. If an attacker has acquired your credentials and attempts to login where MFA is required, this will cause a sign-in prompt or text to appear on your MFA enrolled device. In some cases, multiple prompts may be received in rapid succession to get you to approve them, in an attack known as MFA bombing. If a MFA prompt is received for a sign-in you cannot recall and/or you are receiving multiple MFA prompts, do not approve any of them. Call the Help Desk at 615-343-HELP (3-4357) for assistance with resetting your password and notify the VUMC IT Security Operations Incident Response team of the activity.
It’s important to remember that although there are many preventions put in place against phishing, workforce members can occasionally fall victim to these crafty attempts. With this in mind, it’s important to treat emails, even within the organization, with the same scrutiny described above.
If the situation “just doesn’t seem right,” workforce members should follow their suspicions, consult a fellow staff member or manager for a second opinion, call the Help Desk at 615-343-HELP (3-4357), and send the email to the VUMC IT Security Operations Incident Response team at phishing@vumc.org and ask them to verify it for you.