As many of you may have seen this past MLK weekend, SHASS was subject to a large scale phishing attack with bad actors pretending to be Dean Melissa Nobles with a fake email address from gmail. As we’ve been warning since Spring of 2019, these are phishing attacks perpetrating fraud. This type of attack is designed to convince unsuspecting users to purchase online or physical gift/money cards or transfers and send them to these bad actors posing as someone in authority in SHASS. This can be a faculty member, Section Head, or the Dean.
Do not fall for it. If you get a request like this, be skeptical and assume it’s a fake. Verify by looking at the return address to see if it’s coming from a free email service like yahoo, hotmail, gmail, etc. If it’s not coming from @mit.edu, odds are 90% it’s a fake.
Be aware that phishing attacks have also originated from @mit.edu addresses but they are much rarer and in the handful of cases I’ve seen they involve student or staff kerberos principles. If the email feels off to you in any way, especially if it has an attachment you weren’t expecting or links asking you to “verify” anything or if it asks for private information, be on alert. No organization will ask you for private information or money from you over email, not MIT, not your bank, not PayPal, no one.
If you are unsure, forward the email as an attachment to us and we can verify it for you.
What you can do:
———————-
1) Be aware and always be skeptical. No one will ask for money, gift cards, or private information over email. If you know the person sending you the attack emails and it doesn’t sound like them, odds are you’re right. It’s not them. You can forward the email to us as an attachment for us to verify if you’re not sure.
2) If you definitely know it’s a phishing attack, definitely forward the email as an attachment to security@mit.edu so IS&T is aware of the attack. IS&T is the only Institute organization capable of implementing measures to stop these attacks before they enter our inboxes.
3) As a user, you can also create a black list to block “Bad Senders”. This can only be done in owa.mit.edu and will only stop that specific email address.
Instructions can be found here:
https://wikis.mit.edu/confluence/display/shassit/Spam+Management+and+Spam+Quarantine
Be aware that this is often the least effective measure because the bad actors simply create a new fake email address (as they did in this case) to get around the bad sender email addresses you created before. You end up feeling like you’re playing whack-a-mole since the bad phishing emails keep coming back.
If anyone has any questions please do not hesitate to ask! Remember, there is not such thing as a dumb question.
IS&T also has a page devoted to this particular scam here:
https://ist.mit.edu/news/gift-card-scam
General IS&T resources on common email scams:
https://kb.mit.edu/confluence/display/istcontrib/Common+Email+Scams
Beware of Phishy Emails video:
https://www.youtube.com/watch?v=ZkVr0GLSjE0&feature=youtu.be