Read Our Latest Articles

Some users may dismiss phishing saying, “I would never trust an email from someone I don’t know,” or “I wouldn’t share my Social Security or bank account numbers.” However, would you trust an email from your boss? From a chancellor? What if they were asking for something as simple as your cell phone number? As we see spear phishing, a method of phishing that seeks to target individuals or organizations through impersonating an individual, use these tactics and become the common method of phishing within the university, it’s important to understand how to avoid falling victim.

To help prepare you to combat phishing, it’s first important to understand just how common phishing and spear phishing attempts can be within our organization.

• Since the introduction of multi-factor authentication (MFA), CU Denver/Anschutz has seen an 88% reduction in compromised accounts
• Just this year, the Security Operations team has responded to 279 unique phishing campaigns targeting our campuses
• Despite MFA and a heightened level of diligence from our employees and students, we have had 45 compromised or potentially compromised accounts in 2021

Now let’s look at some real examples of spear phishing attempts from the university to know what to look for:

-----Original Message-----
From: <Chancellor> <corporate@admins-orgs.com>
Sent: Monday, September 27, 2021 12:24 PM
Subject: Direct deposit change

[External Email - Use Caution]
Hi,

I have recently changed banks and like to have my direct deposit changed to my new account. I need your prompt assistance on this matter.

Thanks,
<Chancellor>

Sent from my T-Mobile 4G LTE Device

In the example above, the sender of this spear fishing attack has attempted to spoof an email from the Chancellor. This method of impersonating an executive within an organization and requesting information related to purchases or financials is a common example of the spearfishing we have seen recently. Emails about monetary transactions should always raise a red flag. If you feel uncomfortable call the sender to validate the transaction. A person who becomes hostile about your unwillingness to provide highly sensitive financial information over email is being unreasonable. Trust your instincts.

Also, notice the non-university email address the sender uses. This is a sign that this email is a spear phishing attempt.

Spear phishing emails may also request phone numbers with the intent to later instruct victims to purchase gift cards with the promise of reimbursement, as shown in the example below:

-----Original Message-----
From: <Professor Name> <angelesbribera@gmail.com>
Sent: Thursday, September 23, 2021 2:00 PM

[External Email - Use Caution]--

Send me your available cell number

<Professor Name>, PhD Professor and Chair
Department of <Dept Name> University of Colorado School of Medicine
RC1 North Tower, P00-0000 Mail Stop 0000 Aurora, CO 80045

Once again, you can see that the sender’s email comes from a Gmail account rather than a university email, a sign that we should use caution and ensure the sender is really who they say they are.

Both emails feature our external email warning banner identifying that the email is generated externally. The banner “[External Email - Use Caution]” at the top of the message provides the reminder to be cautious and can help determine if an email is really an attempt at spear phishing.

After seeing a couple examples, this information can be used to avoid falling victim to spear phishing attacks. Remember, senders are not always who they claim to be and to use caution in order to protect yourself and the university from phishing.

If you believe you are being spearphished or phished, please forward the suspicious email to the security team at phishing.samples@ucdenver.edu.