These are examples of recent Phishing emails the Office of Information Security and Privacy has seen attacking the campus.
Date: 11/25/2024
Subject: EMAIL CONFIRMATION
Comments:
- External Tag
- Sender address is not a TU address
- QR code goes to a Wixsite to enter username and password
Date: 11/25/2024
Subject: Various Subjects - towson
edu.towson
Microsoftoffice365
Comments:
- Sender is Gmail Address
- No body to the emails only the external tag and the exchange policy tip that you dont often get email from this person
- Attachment
- Tells you to click a link to a wordpress site.
Date: 11/1/2024
Subject: Various Subjects all relating to docusign
***Test Document***Thank you for your order
Complete with Docusign: Thank You for Your Subscription Payment
Complete with Docusign: Order Reference 764803 : Payment Successfully Processed
Excellent work! Your subscription has been successfully renewed!: Invoice # 857805854.pdf
Comments
- Docusign is being leveraged to carry out this attack
- The text in docusign email is trying to get you call a phone number
- The to address is usually something odd
Date: 9/2/2024
Subject: New Financial Support Program
Comments:
- External Tag, Unusual sender policy tip
- Not a TU sender
- Hyperlink goes to a external URL
Date: 8/31/2024
Subject: Parking Ticket
Comments:
- External Tag
- External Sender
- Never click attachments or links from unknown senders
Date: 9/23/2024
Subject: Advanced Leadership Membership Membership Payment [PastDue]
Comments
- This is one continuous email, the attacker sends this email that is all made up to look like a chain of emails to trick you
- It tries to get your confidence up that this is legit. The attached invoice could either be malware or trick you to enter your credentials
- Check with the user in the email thread to make sure it is legit, check sender address for validity of domain
- Check for spelling, punctuation and grammatical errors
Date: 11/19/2024
Subject: LinkedIn Notification
Comments:
- Sender address is similar to linkedin but isn't
- Suggests a personal connection
- Mouse over link, leads to a third-party website (not LinkedIn)
Date: 8/27/2024
Subject: BANKMBOILE DISBURSEMENT- Your $9,436.00 from Towson University
Comments
- Towson University will not contact you via Gmail addresses
- The subject has spelling mistakes
- Policy Tips about you dont often get email from that address
- Most likely was in the junk folder
- Mouse over link was to a google form that was poorly formatted
Attachment: Towson University Finainace
Malicious Form
Date: 7/11/2024
Subject: Critical Update: Health Exposure Incident Reported - Action Required
Comments:
- External Tag is on but it says its from the University
- Policy Tip that says you dont often receive email from the sender, which is another .edu
- Scare Tactics to get you to click
- External Link is to a law firm. Always check the UR!
Date: 5/27/2024
Multiple Subjects impersonating Bankmobile
Subject: Vibe Account; BMTX Services, BMTX Disbursements, BMTX Inc; Select Refund Option, Vibe Account; BankMobile Services, Refunds from BMTX
Comments:
- EXTERNAL TAG IS ON, UNUSUAL SENDER TAG IS ON
- Scam Impersonating Bankmobile, Attached document has a an external link to a fake bankmobile form that asks for login information
PLEASE LOOK AT SENDER ADDRESS they are all random GMAIL ADDRESSES
Date: 5/21/2024
Subject: New messages are waiting for you in a Teams group chat
Comments:
- Display name is different than body message
- URL is bad
- Login Page is not TU
Date: 5/20/2024
Subject: Research Position Available
Comments:
- External Tag, Infrequent sender Policy tip
- Sender address is from another university or random gmail address but wants you to email some other domain
- Offer is to good to be true
- Malicious Actor sends you a fake check by email and wants you to print it out and mobile deposit it
Check out the "Fake Check Scam" on the FTC website
https://consumer.ftc.gov/articles/how-spot-avoid-report-fake-check-scams#Types
Date: 4/26/2024
Subject: HR and Employment Relations Information Session
Comments:
- External Tag, Infrequent sender Policy tip
- Sender address is from another university but wants you to email some other domain
- Offer is to good to be true
Check out the "Fake Check Scam" on the FTC website
https://consumer.ftc.gov/articles/how-spot-avoid-report-fake-check-scams#Types
Date: 4/25/2024
Multiple Subjects:
Subject: S.R.A Remote
Subject: REMOTE JOB PLACEMENT
Subject: Notice for Towson students
Comments
- Please look at policy tips - this one said "You dont often get email from <senderaddress>
- External Tag is on
- Always be suspicious when emails pursuade you to move the conversation to text message
- The job offer tries to get you deposit money, then send money to the attacker using Zelle, Venmo, etc
Date: 3/24/2024
Subject: Dr. Mark R. Ginsberg shared a document with you
Comments:
- Fake sharing document from the President
- Sender is external
- External Tag is on
Date: 3/22/2024
Multiple subjects like the ones below
Subject: Document form HP LaserJet ProScanner
Subject: Towson Signature Required"Cyrus Cronin" <Cyrus_Cronin4@hagenes-zulauf.com> - 3/25/2024
Subject: Scanned image from MX-M565N
Comments:
- External Tag
- Attachment is a document that tells you to click on a malicious link
- Sender is also external
Date: 2/12/2024
Multiple Subjects and varieties like below
Subject: Notice of Portal Termination
Subject: Notice of Termination
Subject: Opportunity for All
Subject: Job Opening for All
Subect: Work at your convenience
Comments:
- Compromised TU student sending the messages
- Link goes to a google form that is asking for email addresses, phone numbers, Words of Identification? (Passwords)
- You will then receive a text message if phone number is submitted
Date: 2/13/2024
Multiple Subjects and varieties like below
Subject: FTP Billing and Financial Aid Update 2/13/2014
Subject: Financial Aid Update
Comments:
- Compromised student sending the email
- attachment tells you to email an address and wait for more instructions
Date: 2/12/2024
Subject: You have got an urgent message from Towson University
Comments:
- External Tag
- Generic greeting
- Attacker trying to move conversation off of TU resources
Date: 2/9/2024
Subject: TOWSON administrator has started the procedure.
Comments:
- Compromised student account sending email so no external tag
- Link was to an external site
Date: 2/6/2024
Subject: W: TOWNSON UNIVERSITY NEWSLETTER!!!
Comments:
- External Tag
- Subject has Towson spelled wrong
- Attachment has a link that is broken
Date: 2/6/2024
Subject: Introducing the 2024 Assistance Program: Secure Financial Support for Families and Employees
Comments:
- External Tag
- External Sender
- External Link brings up a fake login page and tells you to check for MFA prompts
-
Date: 2/3/2024
Subject: Updated Pay Dates
Comments:
- Very Good Phish
- External Tag, Sender is from a different domain
- Link is to an external site that is a cloned Towson Page
- Asks for Duo Codes
Date: 1/29/2024
Subject: Payroll schedule 2024!
Comments:
- External Tag External Sender
- Link has non standard characters
- link goes to a Non TU URL which then impersonates our login page and then a fake Duo MFA page
- Eventually you end up with a fake payroll calendar from 2022
Date: 1/11/2024
Subject: SCHOOL UPDATE
Comments:
- External Tag, external sender
- Offer too good to be true
- Link is to a form that requests personal information, see example below
Date: 1/07/2024
Subject: Total compensation statements for towson Staffs/Non-Staffs
Comments:
- External Tag
- Sender Address is from another .edu
- Link is to a google form
- Grammar and Punctuation is incorrect
Date: 1/3/2024
Subject: MESSAGE FROM ADINM
Comments:
- Sender address is a towson student, so why would official email to change something come from that
- No external tag because of student address
- Grammar and Spelling is bad
Date: 12/19/2024
Subject: Open Enrollment for 2024 for all Towson Employee
Comments:
- External Tag is on
- Sender Address is not Towson
- PDF Attachment has a QR code with a link to a Russian URL that hosts a malicious Microsoft Credential Capturing form
- TU will never use a QR code for official communication
Date: 12/14/2023
Subject: Today@TU - 12/14/2023 | Release Messages
Comments:
- This was a good one
- External Tag is on
- Sender Address is Random characters @ another .edu
- link goes to a Non TU URL which then impersonates our login page
If credentials are entered a duo page will appear
Date: 12/11/2023 --Multiple Emails same tactics
Subject: YETI_30 OZ TRAVEL MUG Confirmation
Subject: Re: 2nd attempt for <Username>
Subject: Important for <Username>, congrats You Are Our <Month> Winner
Subject: Dicks Sporting Goods Surprise: You Are Our Today's Winner , You've been selected!
Comments:
- External Tag
- sending address is suspicious random characters @ randomcharacters.onmicrosoft.com YETI-Surprise <info_cIrOIHKUREp@xv917y1.onmicrosoft.com>
- Embedded link in the image to suspicious random characters.blob.core.windows.net/random characters https://sgqfdghqsfdtyzrt[.]blob[.]core[.]windows[.]net/sgqfdghqsfdtyzrt/url[.]html
- Random email giving away free items?
- We have seen this done with other giveaways but tactics are the same, random onmicrosoft.com sending address and random blob.core.windows.net URL and some sort of congratulations on winning something
Date: 11/6/2023
Subject: The Care Employment Opportunity
If you open the attachment
Comments:
- Not from official TU Job boards
- Offer is too good to be true
- Body of the email tells you to move the communications to a personal email platform
Date: 10/19/2023
Subject: Banks, Sean shared "Faculty Application for Employment " with you
Comments:
- Sender shared the file, but the description has a different name.
- Link is not to TU SharePoint
Date: 10/19/2023
Subject: Document for Dr. Melanie Perreault
Comments:
- External Tag
- Google Sharing
- Sender and description have a different name
- Sender is not from Towson
Date: 10/13/2023
Subject: PASSWORD RESET REMINDER
Comments:
Date: 9/20/2023
Subject: Attention: Re-authenticate 2 Factor Authentication (2Fa) for <USERNAME> on Friday-September-2023 11:28 AM
Comments:
- OTS will not ask you to scan QR codes in emails
- External Tag is at the bottom
- Sender address is not Towson
Date: 9/19/2023
Subject: About Piano
Comments:
- Offer is to good to be true
- There are various different versions of this email
Date: 9/6/2023
Subject: I Recorded You
Comments:
- Very common scam email, attackers send this to thousands and try to get one or two to send money
- The request is absurd
- Bitcoin is used all the time during scams
- If you think your account is compromised please reach out to phishing@Towson.edu
Date: 9/2/2023
Subject: Administrative Assistant/Project Coordinator
Comments:
- Offer is too good to be true
- Reply email is not associated with the University
- If you reply the attackers will try to move to another means of communication, like SMS or personal email
Date: 8/17/2023
Subject: Kindly provide your cell number that i can reach you at
OR
Subject: Available, Cell Phone Number?
Comments:
- Email address does not match name of sender
- External Tag
- The main hook is to get this conversation to another means of communication where security controls do not exist
- End game is for the user to go and buy gift cards and send the numbers to the malicious actor
- Grammar in the text message is poor
Date: 8/17/2023
Subject: Required | Towson Multi-Factor Auth
Comments:
- This is a pretty good one, there is no external tag
- If you actually did scan the QR code there were multiple redirects that ultimately ended on a malicious credential capture page
- TU does not use Microsoft MFA
Date: 7/24/2023
Subject: Gary Spencer shared "ATHLETICS INFORMATION REPORT SUMMARY" with you.
Comments
- Subject sharing name is different from the body of the email. Urgency in the body of the email
- Punctuation in body of email
- URL when you mouse over the link.
Date: 7/24/2023
Subject: Retirement Planning Sessions for the University System of Maryland Employees
Comments
- External Tag
- From Address