Targeted Phishing Emails
UCL users occasionally receive targeted 'phishing' emails in their inboxes. These malicious emails usually purport to come from the UCL Service Desk, helpdesk, system administrator or similar, and attempt to persuade the user to disclose their UCL username and password. When users do disclose this information, their accounts are misused, often to send spam email to other recipients.
Many phishing emails are easily spotted as scams, due to poor spelling and grammar, overuse of capital letters, or obviously incorrect information. Some are more sophisticated and often fool unsuspecting users. However, with the right knowledge they can be identified. There are two main types of these emails.
Emails that ask you to reply with your username and password
UCL staff will never ask you to send your password by email, so any email that does can be considered a scam. These emails take many forms, but typically ask you to 'verify' or 'validate' your account, due to some 'maintenance' work that is taking place. There is usually a threat that the account will be deleted if you do not reply. These emails can also be spotted by the fact that the 'From:' address or 'Reply-to:' address does not end in @ucl.ac.uk. For example:
From: WEBMAIL TECH SUPPORT <email@example.com>
Subject: Dear Account Subscriber
Dear Account Subscriber,
We are currently carrying-out a Maintenance Process on our email account to complete this process you must respond to this email immediately, and enter your User Name here (*********) And Password here (*********) if you are the rightful owner of this account.
This process we help us to fight against SPAM MAILS. Failure to summit your password, will render your email address in-active from our database.
NOTE: You will be sent a password reset message in next two (2) working days after undergoing this process for security reasons.
Thank you for using our email service
Emails that link to a website that requests your username and password
These can often be very sophisticated and harder to spot. A common theme is that the user has exceeded their mailbox quota, and must log on to the linked site in order to 'validate' their account. For example:
From: John Smith <firstname.lastname@example.org>
Subject: System Administrator
Your mailbox has exceeded the storage limit which is 20GB as set by your administrator,you are currently running on 20.9GB, you may not be able to send or receive new mail until you re-validate your mailbox. To re-validate your mailbox please.
Click Here: http://huyt6.zxcvb19.com/
The example above is relatively easy to spot because the link is clearly not to a UCL site. However, it is possible for the phishers to imitate a real UCL service and try to persuade a user to log on to it. Some phishing emails have directed users to a fake version of the UCL Squirrelmail site. The URL in the example above obviously looks suspicious, but the links are often made to look like genuine UCL addresses, when in fact they are not. Therefore, it is important that users know how to identify whether a URL points to a genuine UCL site or not.
In a valid UCL address, the part of the URL between the double slash (//) and the first single slash (/) always ends in ucl.ac.uk. In the examples below, the actual domain names are shown in bold to make this clear.
Unfortunately, it gets more complicated than this. When viewing email in HTML format, it is possible for a link to point to a different site than the one it appears to. Put your mouse pointer over the link in the example below and look at the status bar at the bottom of your browser to see where the link really points to:
From: University College London <email@example.com>
Subject: Read Email Security Message
Due to the our new security update and removal of all unused accounts you will have to confirm your e-mail by signing into your account. We would also be shutting down all unused accounts.
What you need to do:
1. Log in to your account at https://www.squirrelmail.ucl.ac.uk, by clicking the URL.
2. Enter your user ID and Password.
3. Once you log in a new security profile would be updated for your account.
After following the instructions in the letter, your account will not be interrupted and will continue as normal. Thanks for your attention to this request. We apologize for any inconvenience. Please log in to your account immediately and continue to use the account as normal while enjoying our new security updates.
In this case, the From: address is forged, and although the link appears to point to the real UCL Squirrelmail site, it actually points to a phishing site. The phishing site may look exactly like the real Squirrelmail site, but it will steal your credentials when you enter them.
You can use the same technique when viewing an email, and point your mouse at the link to see the real destination in the status bar. If you have any reason to doubt the authenticity of the email, do not visit the site.
If you think you have disclosed your password in one of the ways described here, you should change it using the UCL password change form.