Security: Types of Phishing Scams & How to Recognize Them


Security: Types of Phishing Scams and How to Recognize Them

Phishing emails are malicious messages that attempt to trick recipients into providing sensitive information or performing fraudulent tasks. Users can report any suspicious or malicious message to LSU IT Security and Policy (ITSP) for review through the Report options in Outlook.

Remember, LSU will never:

  • Ask you for your password over email, phone, text, or through a form submission for your LSU account or any other account
  • Ask you to approve a log in through a phone call or your Microsoft Authenticator app for a sign on you are not attempting
  • Request your name, date of birth, LSU ID or Social Security number, or password reset question information over phone, text, or email
  • Ask for payment through PayPal or Zelle to retain your account
  • If you believe you may have fallen for a phishing email, review the guidance below

 

Phishing Examples

This article describes and provides examples for the following malicious message types:

Account Threats

Victims receive the threat that there are various issues with their account that require attention before the account is deactivated.

These phishing attempts encourage users to visit phishing sites or forms that request personal contact information and account passwords.

Attackers may attempt to collect phone numbers or personal email addresses to continue the scam outside of the LSU.EDU environment, such as over text message, where messages cannot be blocked or monitored by LSU security controls.

Never provide your password to third parties!

An email titled "Administrator has started the procedure" threatening to deactive a user's account for having "two separate logins with portals from two distinct colleges."

An email with subject "ACT NOW" asking user to click a link to "confirm that your account is still in use."

[back to top]

 

Impersonation and Gift Card Scams

Attackers take information from publicly available listings like staff directories or membership lists from groups or organizations to impersonate someone to their peers and other contacts by creating new accounts with free email providers that use an individual's name, department, or title in the email address or their display name.

The attackers use these addresses to send messages to the impersonated user’s potential contacts with a sense of urgency while claiming the impersonated user can't be reached any other way, or they may request the victim’s phone number so that they can continue the scam over text message.

If a potential victim responds, the attacker requests the victim to purchase gift cards in varying denominations with their personal funds. The attacker will request that the victim send images of the gift cards so that the attacker may redeem them to steal the funds from the victim.

We recommend verifying suspicious or sensitive requests through a separate channel. For example, contact the user making the request directly via phone, in-person, or a known-good address to validate the request before making any purchases or following any instructions in the email.

An email titled "urgent" asking "Available, cell number?". The message is signed with the name and title of an impersonated department chair.

A message thread with subject "Re: Are you free?" A user responded to an impersonated request; the attacker asks "...get some gift cards from any apple store right now"

[back to top]

 

Shared Document Phishing

Attackers abuse legitimate sharing platforms like OneDrive or Google Docs to send phishing messages and evade filters.

The messages will typically be sent from an external user. However, the description of the file may include a reference to an impersonated LSU user.

When the victim opens the shared file, it contains a link to a phishing site. These are called “Adversary in the Middle” phishing campaigns; the phishing site interfaces with Microsoft on your behalf and can even trigger an MFA verification request if you provide the site your account password. If the request is approved, an authenticated session is granted to the attacker.

Ensure the context of the message makes sense. If you receive an odd document you were not expecting from someone you don’t know, or if you get a message claiming to be a document from someone else, be very cautious with the message. If a shared file attempts to direct you to re-authenticate to view a shared document, use caution and always verify the sign on URL is accurate. Microsoft sign ins should occur at “login.microsoftonline.com”. Report suspicious documents and sharing requests to IT Security for further review.

An email titled "Jessica shared '2024_Academic Faculty dept_Resource file' with you" from sharepointonline. The contents of the message say "Fwd: Oliver has shared a file with you." The message legitimately links to OneDrive.

  • Note that while this message was sent by “Jessica,” the description inside the message is an attempt to impersonate a different sender named “Oliver.”

An email titled "Fwd: President Lisa has shared a file with you." The message is from a user named Jessica. The message contains a link to a google doc.

  • In this example, the message is sent by “Jessica,” but a user named “Lisa” is being impersonated within the email.

A legitimate email from Docusign.net titled "Security Alert: Unrecognized Bitcoin Transaction in Progress." The email contains contact information to call the scammer to "resolve" the unusual activity.

  • While this message is not an attempt to steal user credentials but a financial scam, this is another example of a fraudulent document shared via abuse of a legitimate platform.

[back to top]

 

Job Offer or Overpayment Scams

Scammers will create fake accounts, or will use compromised accounts that appear more credible, to send unsolicited job offers or other opportunities.

The scams will promise the victim a job, series of tasks, or will provide a check with excessive funds for a user to buy certain job materials. The payments from the scammer are not legitimate; when the scammer’s check does not clear, any money the victim uses or forwards on behalf of the scammer from the check funds may be lost.

A compromised edu user is sending a fake job scam claiming to be a professor seeking an administrative assistant. The message directs users to contact a separate gmail address.

An email titled "Hello Tutor" where individuals receive unsolicited requests for tutoring. This is a common scam and not a legitimate request.

For more information, see this article from the FTC on "How to Spot, Avoid, and Report Fake Check Scams

[back to top]

 

MFA and QR Code Phishing

LSU will never send you an email with a QR Code for MFA enrollment! Instructions on MFA enrollment can be found here: Office 365: Multi-Factor Authentication (MFA) Enrollment

QR Codes are becoming popular vectors for phishing as they cannot be easily evaluated or blocked like traditional links.

Always be careful when visiting a site though a link in a QR code. If a QR code leads to a credentials prompt, exit the page and attempt to access the desired resource directly from a trusted link or URL.

An email titled "Action Required: Enable 2FA to Avoid Disruption." The email contains and image and a QR code instructing the user to scan the code to complete MFA setup.

[back to top]

 

Extortion Threats

This is a common scam in which an attacker uses some combination of spoofing a victim’s email address, claiming to know their password, claiming that they have infected their computer, or providing knowledge of a user’s personal details like home addresses or phone numbers. The passwords, phone numbers, and addresses are sourced from leaked information from third party data breaches.

Often the attacker will make sensationalistic or offensive claims about the receiver to enhance the threat. These emails are fraudulent and can be safely ignored. Do not interact with the attacker and do not send any payments to the extortion address.

An email tilted "Your personal data has leaked due to suspected harmful activities." The email claims to have hacked the user's account and lists a potential password associated with the vicitm.

[back to top]

Help! I think I interacted with a Phishing message!

Report the message if you still have it. IT Security will review the message and can check your account for threats or suspicious access.

Change your password as soon as possible if it was provided in a form or on a phishing page. The new password must be unique and should not have been used anywhere else. If you use the same password for different services, you must change passwords for other services as well.

Monitor your accounts and banking statements for suspicious charges. Attackers will attempt to use compromised credentials on shopping sites to abuse saved payment details for fraudulent purchases.

Submit a request to LSU IT Security via a Security Consulting request from the IT Service Catalog or contact security@lsu.edu if you have any additional concerns regarding suspicious messages you have received or interacted with.

 

[back to top]

16680
2/11/2025 1:17:59 PM