Def: Phishing refers to the process of tricking recipients into sharing sensitive information with an unknown third party.

Recent cases

Typically you receive an email that appears to come from a legitimate sender such as support@warwick.ac.uk or webteam@warwick.ac.uk. The email includes what appears to be a link to the university website. However if you follow the link, you probably will be directed to a replica of that website. Messages suggesting that you need to enter your username and password so that your Warwick account is activated/reset/perserved are generally not genuine.

If you receive any message of that kind - think phishing. Be suspicious of any email that asks for your password or account details. The chance that the message is genuine is VERY slim. In doubt always check with us. IT Services have outsourced the student email this summer and have had some problems with this process. Criminals are clearly aware of this and probably the fact that new students are about to start and are using the confusion to launch targetted attacks to attempt to steal usernames and passwords.

Example 1

The following is an example of a plain text email received in the last few weeks along with some of the clues that can allow you to determine that it is suspicious. Remember that it is relatively easy for criminals to fake (spoof) the 'from' address so don't be fooled by emails that appear to come from @warwick.ac.uk.

Example 2

This second example saw a very good web page attached to an email. This alone however is probably enough to determine that the email is suspicious. It is clearly not normal to send web pages attached to emails.

On opening the attachment we see...

How to avoid being phish-ed:

• Never respond to emails that request personal financial information
• Never click on links in unsolicited emails. If you really need to visit the site then always copy and paste the address into the address bar of your browser. In this way you will be taken to the address written in the email and not, as in the example above, to the fake address to which the link may actually point
• Look for signs that an email is phishing – alarming claims (account being closed), generic greeting (Dear user) and misspellings (e.g. 1nformati0n - to bypass our spam filters)
• Educate yourself in the evils ways of phishers and criminals. Think you can spot a phish from a genuine mail? Try the SonicWall Phishing Quiz to find out.
• Think phishing

What to do if you receive such an email:

• Do no reply to it; delete it.
• If in doubt always ask the Helpdesk for information and confirmation. Again think phishing.

Finally:

Here is an example of a genuine University of Warwick account expiry notice (that emails targeted at Warwick users typically spoof in some way). Note that it is in plain text, does not contain links to any webpages, contains key personalised information, and clearly supplies the correct contact information, discouraging you from replying directly to the email.

>>> Expiry Subsystem <expiry@csv.warwick.ac.uk> 01/09/10 3:44 AM >>>
NOTE: this applies to ALL systems run by IT Services,including public and managed workstations and Exchange.Our records show that you have ceased to be a current member of the University,(the University ID `05*****' no longer appears to be valid).The last time you appeared to be a member was 04/08/10.Because of this your account `bs****' will expire on 29/09/10,in a month's time.If you believe this to be in error, or if you believe you are entitled toretain this account, then you should contact the Help & Advisory service, inperson, on extension 73737 (external 024 7657 3737), or via email athelpdesk@warwick.ac.uk. They will be able to advise you and, if appropriate,arrange for an extension.

N.B. compiled using materials from sophos threatsaurus

Think you can spot a phish? Try this test