LTS Security & Identity Management

Menu

Recent Phishing Examples

These are recent examples of phishing schemes sent to Lehigh email addresses:

FAKE QUOTA LIMIT EXCEEDED

Fake Quota Limit

This message is an attempt to obtain your credentials through claiming your email has exceeded it's quota and requests you to upgrade your mailbox by clicking on the listed link. Notice that the sender address for Lehigh University is 'drh@uc.pt', and is NOT from the lehigh.edu domain. Do NOT click on the link! You can always verify your own quota limit by going to your account page and checking quotas under mail management.

FAKE EXCEEDED YOUR SENDING AND RECEIVING PORTAL MSSG

Fake Exceded Your Sending and Receiving Portal Message

This message is a clever attempt to obtain your credentials through claiming your email has exceeded it's sending and receiving limits on the Campus Portal. Notice the teltale signs of phishing highlighted in the example. Message claims to be from Lehigh Webmail, but address is Admissions (both false). If you hover over the link, you will see it attempts to take you to a domain shreenandinternational.com, not an actual lehigh web site. Do NOT click on the link!

FAKE TROJAN VIRUS MSSG

Fake Trojan Virus Message

This message is a clever attempt to obtain your credentials through claiming a virus has been found in your email. Notice the link points to webs.com, not lehigh.edu. Do not click on the link!

FAKE LIBRARY ACCOUNT MSSG

Fake Library Account Message

This message is a clever attempt to obtain your credentials through a library account message. Do not click on the link!

Fake Anti-Virus Update

Fake Anti-Virus Update

This message attempts to get you to sign into your lehigh account in order to update a fake "anti-spam/anti-virus/anti-spyware" software called "F-Secure R-HTK4S". It is an attempt to steal your lehigh credentials.

Fake e-Fax

Fake e-Fax

This message tries to get you to click on a link by claiming that you have received a fax message online. Some of the links on the page are copies of legitimate links, but the trap is a very deceptive link. On the surface, the link text says "http://www.efax.com/fax/fax_view.aspx?fax_id=7132159010", which looks like a reasonable link. But if you hover over the link (without clicking on it) you will see that where it actually goes is "http://slash.ma/efax_7132159010.doc", which is someplace completely different (".ma" is the top-level domain for Morocco).

Suspicious Sign In Prevented

Suspicious Sign In Prevented

This message claims that an attempt to log into your account using your password has been thwarted. The message asks you to click on a link to verify your identity. This is bogus on the face of it, as any login attempt using your password would be presumed to be you (we have no way of knowing differently). Also, of course, we would never ask you to follow a link to verify your identity. As with many such attacks, the link address (lehigh-edu-verfication.yolasite.com) begins as if it were legitimate, but the actual domain (the ending of the address) is "yolasite.com," which is clearly not Lehigh (or any other educational institution, all of which would end in ".edu").

Fake Vanguard Security Update

Fake Vanguard Security Update

This message claims to be a security precaution prompted by the detection of an error in your account profile with an online investment firm. The message asks you to click on a link to resolve the problem. As with many such attacks, the link address (www.investor.vanguard.xxx.acanac.ca) begins as if it were legitimate, but the actual domain (the ending of the address) is "acanac.ca," which is clearly not the right domain.

Fake Unauthorized Access Warning

Fake Unauthorized Access Warning

This message appears to be an e-mail warning of a possible break-in attempt to your account. The message asks you to click on a link to "manually verify" your account by providing your login ID and password. Lehigh does not do this. (If an account has been compromised, it is immediately locked. To re-open it, you are required to contact the account coordinator, either by phone or in person, and then to change your password using normal Lehigh procedures.) The link address is particularly insidious: it begins as if it were a Lehigh address, but the actual domain (the ending of the address) is "the-webmail.com," which is clearly not from Lehigh.

Site Update Message

Fake Site Update Email

This message appears to be an e-mail warning of a Site Update and rquiring users to submit personal information including passwords. If you look at the image of this message, there are a number of clues indicating this is Phishing: 1) Subject is malformed and would have a clear subject, not a salutation; 2) Notice the From: address is NOT a Lehigh email. Reply-To: address is a random yahoo.com account; 3) typographic errors in the message; 4) Asking to provide personal account information over email. Lehigh will NEVER ask you to send credential information over email; 5) Disclaimer message is not in the English language.

CryptoLocker Message

CryptoLocker

This message appears to be an e-mail delivery of a digital voice mail message (it does not indicate what sort of phone system or service is providing this). This message is extremely dangerous. It contains an executable attachment that will encrypt (make unreadable) all of the files on every storage device it can find, starting with your hard drive, but also including network drives (such as the H: and I: drives). It will then demand a ransom to get your files back. You can read about it at Wikipedia. Delete this message; do not click on any of the links, download or open any of the attachments, or attempt to reply.

Outlook Setup

Fake Outlook Setup Message

This message seems to be instructions about how to set up your mail client properly (assuming you use Outlook, which most Lehigh users probably do not). It is indeed a "setup" in the worst possible sense of that term. The "From:" address is forged to look like it came from a Lehigh administrator (it doesn't) and it has an email link to the Help Desk, making it appear more legitimate. But it has an attachment named "Outlook.zip" that contains an executable file designed to install malware (viruses and such) on your computer. Delete this message; do not click on any of the links, download or open any of the attachments, or attempt to reply.

Fake Google Message

Fake Google Warning

A warning (which superficially seems to come from Google) claims that some of your mail is about to be automatically deleted. (Note that neither Lehigh nor Google ever does this.) The "From:" only bothers to spoof the comment; the address is clearly not Google-related (francois-cinene@4sale.net). The links all point to a non-Google, non-Lehigh website whose URL even sounds dangerous (http://jcfasteners.com/burglary.html). Delete this message; do not click on any of the links, download or open any of the attachments, or attempt to reply.

Fake Facebook Message

Fake Facebook Warning

A message claiming to be from Facebook claims that posts you haven't seen yet are about to be deleted from your Facebook page (whether or not you actually have one). As usual, neither the "From:" address (ykgnostic@static-213-136-114-18.afnet.net) nor the destination of the links (http://twater.com.tw/feature.html) have anything to do with Facebook (or Lehigh). Delete this message; do not click on any of the links, download or open any of the attachments, or attempt to reply.

Wire Transfer Fraud

Wire Transfer Fraud

This message claims that an international wire transfer request you initiated has had a problem due to lack of funds in the sending account. This might be a matter of serious concern to many of our international students, as well as any member of the Lehigh community travelling abroad. All of the addresses and links seem legitimate. Notice, however, that this very specific personal message is going out to a whole list of people. The warhead in this message is the attachment (seen at the bottom of the screenshot). The whole thing is, of course, a big lie. Delete this message; do not click on any of the links, download or open any of the attachments, or attempt to reply.

correspondencia

Correspondencia

This message asks you to click on a link that is not a Lehigh domain (it is dimdo.com). It purports to be from the Help Desk Team but notice the sender is not a Lehigh sender (this is easy to spoof anyway).

Fake Security Update

Fake Security Update

This message falsely indicates a security update requires your action to complete, and that if not responded to within 24 hours, you may lose your email. This message is a fraud, by examining the destinations of the link in the message you will notice they go to some other domain, 'webs.com'. Delete this message; do not click on any of the links or attempt to reply.

Suspension of your email

Suspension of your email

This message claims that your email is suspended and provides a link -- note that the link is NOT in the lehigh.edu domain and that it lacks punctuation.

Fake LinkedIn Announcement

Fake LinkedIn Announcement

This message purports to be from the social media site LinkedIn, suggesting that someone wishes to connect with you. This message is a fraud, as can be seen by examining the destinations of the links in the message (they do not go to LinkedIn). Delete this message; do not click on any of the links or attempt to reply.

Fake Mail Quota Warning

Fake Mail Quota Warning

This message fraudulently tells you that your email quota has been exceeded. The message is not from Lehigh and the link takes you to a non-Lehigh site which may have malicious software. Delete this message. NOTE: you can hover over links to see that it does not go to a real lehigh domain. You can also check your (legacy, not Gmail) mail quota by going to your Lehigh Account web page linked at the bottom of the main Lehigh and Inside Lehigh web pages.

Account Expiration Fraud

Account Expiration Fraud

This message fraudulently tells you your account is about to expire and tries to get you to click the link to read the message. The message is not from Lehigh and the link takes you to a non-Lehigh site which may have malicious software. Delete this message. NOTE: you can hover over links to see that it does not go to a real lehigh domain. You can also verify if your account will soon expire by going to your Lehigh Account web page linked at the bottom of the main Lehigh and Inside Lehigh web pages.

Calendar phishing event

Calendar Phishing

This is a calendar event that appeared on a staff member's Lehigh Google Calendar, and a variation on the theme of email phishing. Delete calender events that may appear in your calendar.

IT Service and Operations Center

IT Services and Operations (Fraud)

This message fraudulently tells the you, the recipient, that the webmail server has been upgraded and that you should click and follow the links to take advantage of new security features. While the text appears to be a legitimate link if you hover over the link you see that it takes you to a non-Lehigh server and likely one that will do harm to your identity or your computer.

Webmail Upgrade Fraud

Webmail Upgrade Fraud

This message indicates that you are using more space for web mail than you have been allocated. It threatens that unless a link is clicked to upgrade the account, the account holder will be unable to receive email. Notice that the message is signed "Admin Help Desk" (no such thing), refers to "email labs" (again, no such thing), and that the link points to someplace that is not lehigh.edu. Clicking the link can result in having your account credentials compromised. This email should be regarded as SPAM and deleted.

Account Security Breach

Account Security Breach Violation

This message purports to be a "Lehigh Web Notice" about a security breach to your account. It threatens that unless a link is clicked to verify the account, the account holder will be unable to send email. Clicking the link can result in having your account credentials compromised. This email should be regarded as SPAM and deleted.

Xerox Scan Fraud

Xerox Scan Fraud

This message pretends to be an email message sent by a multifunction printer/scanner/fax machine as the result of scanning a document. The message claims that the document is a PDF, but the attachment is actually a ZIP archive (note the extension at the end of the file name). The key principle here is that any message you weren't expecting should be regarded as suspect--if you didn't just scan a document, why would you be receiving this? If you aren't sure, don't click on any links or open any attachments. This particular mailing is an attempt to get you to open and execute an infected attachment. This email should be regarded as SPAM and deleted.

Secure Message Fraud

Secure Message Fraud

This message purports to be a transmission of a secure message from a company called "fiserv.com," a mobile banking services company. The sender address, however, is "nacha.org," which is a completely different (and unrelated) group that oversees the ACH network (a key player in electronic fund transfers). The NACHA name has been used for some time as a cover for fraudulent mailings of various types (see https://www.nacha.org/node/983). This particular mailing is an attempt to get you to open and execute an infected attachment. This email should be regarded as SPAM and deleted.

Fake Upgrade Alert (again)

Fake Upgrade Alert (again)

This message is a version of the same scam we have seen before. The screenshot shows that, depending upon your mail client, and whether it blocks images, the message can look slightly different. Note that the link, which purports to go to http:/www.lehigh.edu/ltsNews (this URL does not exist and is not even correctly-formed, as the slash following the colon should be two slashes) actually goes to http://www.123contactform.com/form-580146/Lehigh. Also notice that the comment on the from address says Lehigh University, but the actual address is aaprell@email.wm.edu (an account at the College of William and Mary in Virginia). If you look closely, you can also spot several grammatical errors. This email should be regarded as SPAM and deleted.

Fake LinkedIn Profile Changes

Fake LinkedIn "Important Profile Changes" Alert

This email attempts to trick you into clicking on a link. It purports to be from LinkedIn, and it looks very realistic (the graphics are all exactly like those in real LinkedIn messages, and there are no apparent errors in grammar or style). But the link, whose address is http://199.47.149.2/~sunnycha/probabilities.html, does not point to a LinkedIn address (it does not even point to a named server, but just an IP address!). This email should be regarded as SPAM and deleted.

Fake Amazon Kindle Order Confirmation

Fake Amazon Kindle Order Confirmation

This email appears to come from Amazon, but note the email address is actually cheapskate@clients.amazon.org. The links all point to code on the myataworld.com domain. This email should be regarded as a phishing attack with intent to infect your computer and obtain data. Do not click any links and delete it immediately.

Fake Violation Security Breach

"Violation Security Breach"

This email tells you that your webmail has been infected with a dangerous virus. It is a fake.

Fake Verify Account and Quota Upgrade

Fake "Verify Mailbox and Increase Quota" Alert

This email tricks you into thinking there is a problem with your mailbox and quota and encourages you to click the link to fix it. Do not click on the link. Note also the improperly sized Lehigh graphic. This email should be regarded as SPAM and deleted.

Fake Account Update Message

Fake "Account Update" Alert

This email implies that as a result of an upgrade, you need to log in to your account to check out the "effect". It provides a link to the supposed login page (LTS would not do this--users should know where the login page is, and should know not to click on links in email messages). Notice that this link goes to a page in a non-Lehigh domain (the page looks very much like our portal login page--but if you pay attention to the web address, it can't possibly be a Lehigh page). This email should be regarded as SPAM and deleted.

Fake Portal Login Page

Fake Portal Login Page

This is the fake portal login page that the Fake "Account Update" Alert message above links to. It looks almost perfect. But notice the address, "chriscomport.com". This page is not real and you should not enter any information whatsoever into this page.

Fake Security Breach Message

Fake "Security Breach" Alert

This email is quite similar to yesterday's fake Upgrade Alert message, even using the same Subject line. However this message attempts to create a sense of urgency by claiming that your account will be closed if you take no action. That should be a red flag, as LTS will never threaten you with account closure. Also notice that the link at the bottom of the email is pointing to a non-Lehigh domain. This email should be regarded as SPAM and deleted.

Fake Upgrade Message

Fake Upgrade Alert

This email purports to be a notification from LTS about upgrades to the Lehigh web-mail servers. As a security precaution, Library and Technology Services no longer sends emails with links in them. If you get an email claiming to be from us, and directing you to follow a link, you may safely assume it is fraudulent, and should delete it immediately.

Verify Address Example

Fake "Irregular Action" / Verify Address Alert

This clever phishing example looks like it is from Lehigh. If you hover over the link, notice that the servar address - the part between the double-slash and the next slash - is not the lehigh.edu domain (it starts out like a Lehigh web address, but it actually ends with "beverlyblackburn.com"!). Very tricky. If you were to follow this link (DON'T), you'd see the fake webmail login page below. NOTE: LTS will not send links in email, and we will not ask for your password!

Fake Webmail Login Example

Fake Lehigh Webmail Login

This webform is attempting to look like a Lehigh Secure Web Page. Note that the web address (URL) is not the lehigh.edu domain.

Lehigh LTS Signin Verification Example

Fake Lehigh LTS Account Compromise Alert

This clever phishing example looks like it is from Lehigh LTS - note that if you hover over the link, it is not the lehigh.edu domain. NOTE: LTS will not send links in email, and we will not ask for your password!

Fake Lehigh Account Information Form

Fake Lehigh Account Information Form

This webform is attempting to look like a Lehigh Secure Web Page. Note that the web address (URL) is not the lehigh.edu domain. There are also a number of misspelled words, including Lehigh.

Adobe Phishing Example

Fake Adobe Website

This phishing scheme takes users to a fake Adobe site. Note the web address

Amazon Phishing Example

Amazon Order Confirmation

Clicking on the links in this fake Amazon Order Confirmation will take you to a compromised site that will infect your computer.

BBB Phishing Example

Better Business Beareau Claim Email

Phishers often use fear-tactics to encourage people to click before they think! This is an example of a messages that appears to come from the Better Business Bureau.

LinkedIn Phishing Example

LinkedIn Email

Many at Lehigh are using LinkedIn for professional networking. This example looks very much like the email messages received daily from LinkedIn.

IRS Phishing Example

Income Tax Return Payment Receipt

Tax time and people are falling for this fake message!