Winter 2018

University of Waterloo email scams

Marco Digiacomantonio

Introduction

Every user on the internet is at risk from malware and scams. Have you ever found weird or unexpected emails in your inbox? Have you ever received emails saying that you won the lottery and all you had to do was enter your credit card information in order to claim your prize? How about emails asking you are your personal information so that you could join a great business opportunity?

These are all examples of some of the scam emails people receive. By the end of this newsletter, you will be able to detect email scams, and be aware of spam so that your identity and your electronic devices remain protected.

What are email scams?

Email scam example

https://www.associatedbank.com/security

Spam is any unsolicited email, typically meant “to sell you a product or service” [1]. Spammers send spam emails because they want money and are able to reach many people in a short amount of time.

Spammers are able to send up to a million spam emails in a single day, “with the hopes that at least a few people will respond” [1].

Spoofing

Spoofing is when someone imitates your email address by using it as their ‘From’ address, even though they have no access to your account [2].

Hijacking

Hijacking or hacking of email accounts is possible too and would most likely result from clicking a link within spam.

When an account is hijacked, someone is able to log into that account that is not theirs and perform the same abilities the owner would.

A hijacker of an email account for instance would be able to send emails to whomever they wish.

Phishing

While spam emails target your bank account, phishing emails target your personal information such as your social insurance number, credit card number, user name, and password to any account.

For instance, by fulfilling a phisher’s demands it may result in having “bank or cell phone accounts being opened in your name” [1].

Exmail scam example

https://lts.lehigh.edu/phishing/examples 

Spear Phishing

The Information Systems & Technology website has an example of a spear phishing attempt with warning signs highlighted about its legitimacy. The images below point to characteristics of spear phishing:

  1. The ‘From’ address appears to be Canadian, possibly another Canadian university besides University of Waterloo.
  2. The Email content is relevant to students and employees.
  3. The link looks legitimate.
  4. The Graphics correlate to actual Outlook Web App. Warning sign: how the User name and Password fields are off-centre.
  5. Warning sign: ‘Subject’ field does not follow the syntax of any university technical support member (there are two exclamation points).
  6.  Warning sign: Copyright text is never included in legitimate IT service emails [3].

Email scam diagram

Email scam diagram

https://uwaterloo.ca/information-systems-technology/about/organizational-structure/information-security-services/about-information-security-services-iss/information-security-posters/learn-about-and-protect-against-spear-phishing

How do spam and phishing emails reach your inbox?

Unfortunately, it is inevitable that you will receive some spam and phishing emails. This means that all emails need to be approached with caution.

People who send malicious emails find email addresses that a group of people use, then send emails to members of that group using a legitimate ‘from’ addresses.

For instance, a spammer may come up with the email address FakeUWuserID@uwaterloo.ca, where ‘FakeUWuserID’ represents any made-up userID. They may even spoof a University of Waterloo email account for sending spam to University of Waterloo members.

A fake or spoofed email address would be devised by finding a trend with multiple real email addresses on the University of Waterloo website, like several professors’ profile pages.

Consequently, the sender of these harmful emails are successful due to how legitimate the sender’s email address appears to be.

Safety tips

There are three general steps anyone can follow to reduce the likelihood of falling for an email scam. These are all questions that should be considered first before clicking any links within the email and replying to the sender.

These steps are anyone should examine are the ‘From’ address, the subject of the email, and its content:

  • Is it someone you know or from University of Waterloo with the generic address UWuserID@uwaterloo.ca? If you are unsure, ask the Arts Computing Office or the IST Security Operations Centre.
  • Is the subject relevant to your position?
  • Is the content of the email relevant to your position or organization?
  • Does the spelling and grammar fit who you think the sender is?

Spear phishing attempts are more difficult than spam and other forms of phishing because they appear to be credible.

The ‘From’ address could be a forged University of Waterloo (UW) colleague or another member. Both the email subject and content are relevant to the receiver’s position and the format of the email matches what the forged email would be.

Lehigh University Library & Technology Services provides examples of phishing emails for members of the university to be aware of. Besides this, spam and phishing may use several strategies to further convince you into giving money or personal information.

Phishing emails can be known to be aggressive and make you feel anxious, causing you to feel obligated to provide information. Similarly, spam emails can be very aggressive and threaten you for money.

In addition, spam can seem to be too good to be true because the scammer claims the product or service does something amazing and it is backed up by insane statistics.

Conclusion

Finally, if you think or know you have a spam or phishing email in your inbox, report it to Arts Computing Office  or the IST Security Operations Centre.

Similarly, if you think your email account, computer, or any other mobile device is acting funny or you cannot log into your email after clicking a suspicious link, it is important to report any weird emails.

Spam, spoofing and hijacking can occur from a phishing attack. All it takes is clicking a link within a phishing email because it may be a form of malware or computer virus.

Addressing any of these concerns to Arts Computing Office  or the IST Security Operations Centre will better protect the University of Waterloo’s email accounts, by improving filtering methods and reporting these emails to the rest of the university’s community.

References

[1] Spam vs Phishing Emails… what’s the difference? (2012, January 11). Retrieved October 27, 2017, from https://blogs.unb.ca/tidbits/2012/01/11/spam-vs-phishing-emails%E2%80%A6-what%E2%80%99s-the-difference/

[2] What to do when your email address sends spam. Spector, L. (2015, June 29). What to do when your email address sends spam. Retrieved October 24, 2017, from https://www.pcworld.com/article/2927993/what-to-do-when-your-email-address-sends-spam.html

[3] Learn about and protect against spear phishing. (2016, August 31). Retrieved October 29, 2017, from https://uwaterloo.ca/information-systems-technology/about/organizational-structure/information-security-services/about-information-security-services-iss/information-security-posters/learn-about-and-protect-against-spear-phishing

More about Winter 2018

Related Articles