TECH CORNER: Catching Phish: How to Spot Sophisticated Scams

By KAREN BEAUDWAY and MARY ROSE O’DONNELL

Over the past few months, you may have noticed an influx of Pitt IT alerts regarding phishing scams. (If you’re subscribed to IT Alerts, that is.) It seems like online thieves are in overdrive these days: From mid-June to early July, then in late August and early September, five major schemes directed well over 100,000 scam messages at the Pitt community. And these were not your “I am a Nigerian prince, please transfer money to me ASAP” emails. Bad guys can be very sophisticated, creating phishing scams that are very difficult to spot.

Difficult, but not impossible. Here are some next-level tips to help protect you from next-level phishing attacks.

Finding the right bait

In the old days, phishing emails were pretty obvious, but scammers have evolved. They understand and are exploiting many aspects of the new normal:

  • Online shopping and shipping is king, including sites without a brick-and-mortar presence.

  • Mobile devices are real business tools, used for more than just calling, texting and Twitter.

  • Collaboration tools like Teams, OneDrive and SharePoint are central to remote work.  

Phishing scams can appear to be from a legitimate Pitt or retailer email address. Hackers can create landing pages that look just like a real login page. They may exploit texting and social media. They can mimic the style and design of well-known companies.

Because so much of modern life and work has become digital, hackers can tap into normal routines without raising your suspicions. Package delivery scams bank on the assumption that you’ve ordered something online recently. Scammers know that notices that appear to be work- or school-related seem too important to ignore. While a PC lets you hover over a link to see where it’s really going, that’s way harder to do on a mobile device.

Spotting the phish

With phishing attacks becoming more sophisticated and personal by the day, how the heck is someone supposed to know the difference?! Phishing scams may look real, but upon closer examination, you can spot the signs that it’s fake. Traditional phishing signs include: 

  • Creates a sense of urgency (you must respond within the next 24 hours).

  • Invokes strong emotions (your account has been breached; win a full scholarship).

  • Requests sensitive, financial or personal data.

  • Has misspelled words and poor grammar.

  • Contains links that don’t match the organization they claim to be from.

  • Uses an email address that you are not familiar with.

More sophisticated phishing attempts require more sophisticated detection techniques. These warning signs can indicate that something is off:

  • Vague or generic content that doesn’t identify you, the sender, the file name, or order details.

  • Requires you to enter personal info to get details about the topic they contacted you about.

  • Unsolicited communication that asks for your SSN, bank account, password, or other sensitive data.

  • Doesn’t follow the style of other emails or web pages for the organization.

  • Asks you to respond via your personal email address or mobile device, and not through your Pitt email.

  • Asks you to respond to an address different than the one which sent you the message.

  • Asks you to download an app or plug-in or requests access to your system to proceed.

See the scam

Let’s look at a recent scam that targeted the Pitt community. This email posed as a notice that a file in OneDrive had been shared with you, and it provided a link to view the file:

Looks pretty legit, right? Everyone at Pitt has access to OneDrive, and people often share files with each other. The email also has the Microsoft color scheme and a copyright logo at the bottom. So how could you tell this might be a fake?

The biggest red flags here are the vagueness of the email, its appearance, and the fact that you weren’t expecting it. OneDrive notifications are specific and verifiable. It will address you by name, specify the person who shared a file with you, and provide the name of the document being shared. It also looks completely different than this fraudulent email.

Here’s a real example of what a OneDrive notification email looks like.

Keep in mind that some scammers use real hacked OneDrive accounts and notifications to spread their scams. So even if you identify that a notification comes from OneDrive, that is not a guarantee that the message is not a scam! Be sure to verify that the person sending you the notification is a friend or colleague at Pitt, and that what is being shared is expected. 

Testing the waters

So you think you might have received a phishing email. What should you do? First, trust your gut. If something seems off, it probably is. There is no harm in verifying a legit email.

The easiest way to investigate a suspicious email is to go straight to the source. Type in the URL directly, instead of using a link in the email. (For example, log into OneDrive and click Shared in the left sidebar to see shared documents. Or go to a retailer’s or shipping carrier’s website to use their tracking tool.) If you can’t verify the information on the site or from your account, that is a huge red flag!

When in doubt, contact the person directly. You can call or message the sender to confirm an email is real. Do not use the contact info provided in the email, which often loops back to the hacker in order to keep the scam going. Instead, if you don't know the person, find the customer service number on the website of the organization.

If you suspect that an email is a phishing scam, please report it to Pitt IT, so that Pitt IT is aware of the scam message and can review it. Then, delete the email without clicking any of the links. If you accidentally fall victim to a scam, change your Pitt password immediately and contact the 24/7 IT Help Desk for help in protecting your device and University networks and systems.

Phinishing up

Being aware and alert is the best line of defense against scammers. Pitt IT has many resources to help.

  • Sign up for Pitt IT alerts and our IT newsletters to stay up to date on reported phishing scams and other tech updates. The Pitt IT website shows alerts and announcements, and notices are also posted @UPittIT on Twitter and Facebook.

  • Report a phishing scam to Pitt IT’s security team by forwarding the email as an attachment to phish@pitt.edu. More specific instructions are listed here.

  • Take Pitt IT’s email and phishing interactive mini-course to learn more about how phishing attacks work and how to recognize and respond to one.

  • Pay attention to the sites you visit and the emails you receive, so you know what legitimate ones look like and ask for. Note that Pitt Passport only asks for your username and password, and the URL in the browser always starts with “passport.pitt.edu.”

Stay vigilant, Panthers so you can phight phishing!

Karen Beaudway and Mary Rose O’Donnell are Pitt IT bloggers.