2023-07-19: warning regarding phishing message

I want to send a warning about a fraudulent phishing email that was sent from a compromised student account, as well as a warning as to how this can happen (even with the MFA or Multifactor Authentication) in place.

 

How can this happen?

Before getting into the details on the actual message, I want to say how this can happen.

  • A person gets a phishing email that directs them to a fraudulent site.
  • That fraudulent site not only asks for the persons username & password, but also asks for their cell phone number.
  • The criminals then try to login to our site with the username and password that the person provided, but are stopped by the MFA prompt.
  • The criminals then send a text to the person's cell phone number that they provided, asking them to provide the code that they received via text message.
  • The person then provides that code, and the criminals login.

What can you do to prevent this?

There are a few things you can do.

  • If you're getting the log in codes via text message, switch to using the Microsoft Authenticator app.  It is a more secure method.  More information on how to make this switch is at: https://newpaltz.teamdynamix.com/TDClient/1905/Portal/KB/ArticleDet?ID=140221
  • Never, ever, give out a login code in response to a phone call or text message.  Text can be the method you receive login codes but should never be the way you provide those codes.  Even if the person asking for the code via text claims they work for New Paltz (or whatever organization you're dealing with).
  • Be very suspicious about any unfamiliar page that asks for a password.  This is especially true when the word "Password" is obfuscated (i.e. they use Passw0rd using a zero, or have the word Pass Word separated by special characters).  An example of the fake login page that was sent out is below:

Screenshot of a phishing destination page, with the external (non-New Paltz and non-Microsoft) address highlighted, and the word 'password' obfsucated as 'pass**word' multiple times

 

 

What did the email look like

A screenshot of the fraudulent email, with the name/address of the compromised account that sent it blanked out, is below.  Unlike some fraudulent emails, it also contained a QR code (not shown here) asking people to scan the code to get to the fake page.

 

The actual email is a standard scam:

  • a threat of consequences (you'll lose all email) combined with a short time frame to act (termination within 24 hours) are meant to trick people into acting not thinking.
  • The email is from an unknown sender (you may have known the sender, but if you did would not have known them to be a New Paltz employee, much less one from Information Technology Services).  Even if it came from an ITS employee, even if it impersonated me, I would advise caution and verifying.

 

Screenshot of the phishing message.  The mesage said something to the effect of "if you don't click the link and give us this info, your account will be terminated in 24 hours and all mail will be lost"