Recent Phishing Examples

Lehigh has been experiencing a number of phishing messages using emails with links to Drop Box documents. If you hover your mouse cursor over the link, it will show the address it is attempting to get you to go to. The messages may appear to be from people you know. If you are not expecting a file, you should immediately be suspicious and use extreme caution. If you have clicked on anything that requires a password you feel is not legitimate, it is always a good idea to reset your Lehigh password at https://www.lehigh.edu/change.

This is a phishing email intended to get you to enter credentials on a non-Lehigh web page. You will notice:
1) Sender is from an alleged Canadian address (uoguelph.ca)
2) Hovering over the link displays it goes to a non-Lehigh address.
3) Signed by Richard Nixxon
4) Falsely lists our address in the signature line.
5) Uses urgency (you must act now) as a scare tactic to get you to respond.

Please be aware of these types of details when you see messages of a questionable nature,

LTS

Notice the two features identifying this as a phishing email: 1) The sender (highlighted) is not a Lehigh account; 2) the link in the email (highlighted) is to a non-Lehigh web address. Do not click on the link, and simply delete this email.

Another message received by a Lehigh staff member working in a financial area. The message was personalized to the staff member and had a .doc attachment which likely contains malicious content.

This is a bogus message about Lehigh Library Accounts. Lehigh Library accounts don't expire. Looking at the send address reveals that it's from a commercial Gmail address (ends in @gmail.com) not from a Lehigh email address, which ends in @lehigh.edu. Another clue that this is phishing message is that the URL points to a domain ending in .ga, NOT lehigh.edu.

Message falsely claims you have reached your 500MB limit on Lehigh Web Mail. You may note the sender has a .pk (Pakistan) email address. The link for Lehigh Web Mail may work, but the link to "Click Here" takes you to a non-Lehigh Google web form in an attempt to collect your username and password.

Do not click either link. Simply delete this message.

The non-Lehigh email address this was sent from, the grammatical errors and vague contextual information, and the fact that the messages requests your username and password are all clues that this is phishing scam. Always remember, LTS will never ask you for your password.

As a Gmail user, you can report this as a phishing message:
1. At the top-right corner of the message, click the down arrow next to the Reply button.
2. Select Report Phishing from the drop-down list--the message will go directly into your Spam folder.

Like any other phishing message you'll receive, hovering over the link shows that the it does NOT take you to a Lehigh University webpage (all Lehigh pages will end in .EDU).

Simply report it as phishing if you're a Gmail user:
1. At the top-right corner of the message, click the down arrow next to the "Reply" button.
2. Select Report Phishing--the message will go directly into Spam

The non-Lehigh email address (ends in @udd.cl) and non-Lehigh URL, http://sso-cc-lehigh-edu.jimdo.com/ (note that it ends in JIMDO.COM, not LEHIGH.EDU) are clear warning signs this is a phishing message and not from the Help Desk. Grammar and punctuation errors are also always common red flags...

If you are a Gmail user, you can mark it as Phishing by opening the message and:
1. At the top-right corner of the message, click the down arrow next to the "Reply" button.
2. Select Report Phishing.

This email, which purports to be from the "Help Desk®" with the subject "Your Mailbox" claims that you need to update and verify your Webmail certificate. It will ask you to click a link within the email to provide your credentials. This is NOT legitimate! You will never be asked by LTS to provide your credentials through a direct link within an email. Please delete this email or any similar email that hits your inbox.

This is not an email from the Help Desk. Notice the link they want you to click on tries to fool you into thinking it's a Lehigh website but close inspection reveals it ends in jimdo.com, which is NOT a Lehigh site. Do not click it--mark it as SPAM immediately and delete.

This is NOT an LTS or Lehigh communications email but a Phishing email. Lehigh departments nor LTS will NEVER ask you to send your log on credentials in ANY email we author. You can delete the email.

If you have sent your credentials in response, you will want to log into your account and reset your password immediately.

This email purports to be from "Lehigh Help Desk Services". It requests that you click a link to upgrade your email account as part of an "anti-phishing server upgrade". This email is not legitimate and was designed to steal your credentials. If you receive this message, please delete it.

This message is phishing, even though it references Lehigh Roundcube -- the message is tailored to Lehigh's systems, which is called spear phishing. It is specious, and should be deleted.

The following email has been seen in circulation at Lehigh. This is NOT a legitimate email, and asks users to click the link in an attempt to steal their username and password. Do NOT click the link. This message should be discarded with no further action. If you have clicked the link and supplied information, please change your password immediately.

This phishing email purports to be from the "IRS Tax Credit Office". It is designed to trick the recipient into submitting confidential financial information. Never submit personal information online when solicited via email. This type of phishing email message should be deleted immediately.

This message is confirmed to be "fake." Wells Fargo was contacted and they offered this advice: Review the following tips to help safeguard your personal and account information:

This fake email "over limit" email purports to be from Lehigh and suggests that you must upgrade your email account because you are over your usage limit. It is NOT from Lehigh and should be deleted immediately. If you clicked the link and entered your Lehigh credentials, you should reset your Lehigh password immediately.

This phishing message is designed to trick you into believing you've exceeded your email quota. Note the signs that make this email suspicious:

1. The sender's email is not a Lehigh email address: maplew@mail.gvsu.edu
2. A non-Lehigh URL: www.form2pay.com...

This email is not legitimate and is a deceptive attempt to trick you into believing you need to upgrade your email. Note the signs that make this email suspicious:

1. The sender's email is not a Lehigh email address: jmalnick1109@oswego308.org
2. Incorrect grammar ("...yours need update")
3. The link you are supposed to click on is NOT a Lehigh website (hovering over the "ClickHere" link reveals that it goes to www.formforall.com)

This is a specious attempt to get you to reveal your Lehigh credentials to a malicious third party. Signs that this message is suspicious:

• The sender is not a is not the LTS Help Desk email. While it does end in lehigh.edu this is easy to spoof in the header of a message.
• If you hover over the link in the message, note that it goes to lehighdotyolasitedotcom -- NOT a Lehigh domain (Lehigh domains end in lehigh.edu)
• Lehigh will never ask you to provide your credentials via an email message or embed a link in an email for login purposes.

This is a relatively straightforward phishing example. Note that the link address (which isn't hidden in any way) is not in the "lehigh.edu" domain, but in "webs.com". And Lehigh is misspelled.

This message is an attempt to obtain your credentials through claiming your email has exceeded its memory size and requests you to upgrade your mailbox by clicking on the listed link. Do NOT click on the link! You can always verify your own quota limit by going to your account page (www.lehigh.edu/account) and checking quotas under mail management.

This message is a repeat (look back in the archive to April 30, 2013). The "From:" address has been forged, but that fact doesn't mean much. Email addresses can't be counted on as an indication of a message's validity. The real key is that the link directs you to a web address that has nothing to do with Lehigh (http://myshoponline.net/wp-admin/includes/webmail/). Not only didn't Lehigh send this, it isn't a reasonable imitation of anything we actually would send. Delete it.