Fight Phishing, Win a Chance at an Apple Watch

Brian Eder, executive director for IT Services at Duke University Development, was at a recent meeting when a colleague approached him and showed him their phone.

On it, there was a new email, ostensibly from Eder asking if that colleague was available. Eder didn’t send the email. Instead, it was an example of an increasingly popular scam.

“I kind of laughed and said, ‘Here we go again,’” Eder said.

Across Duke, email impersonation fraud, a new savvy way scammers try to phish unsuspecting email users, is on the rise and difficult for both human and digital safeguards to detect. With National Cybersecurity Month in October, Duke is observing the month with a variety of activities and outreach for staff, faculty and students.  

Starting this week, you can report suspicious emails with one click using the new “Report Phish” button which is in all Outlook email clients (Windows, Mac, Web, Android and iPhone). Duke’s Information Technology Security Office is encouraging users to use the button instead of sending an email to ‘security@duke.edu’ to report suspicious emails. In most email clients, the button will appear in the toolbar.

“If you think an email is suspicious, you can click one button and send it to us along with all the information that we need,” said Cara Bonnett, senior analyst for Duke’s Information Technology Security Office. “It streamlines the whole process.”

Throughout October, Duke community members are invited to take the “CyberStrength” quiz to sharpen skills for spotting suspicious email. All Duke users who take the quiz will be entered into a drawing to win an Apple Watch.

Higher education and health care remain top targets for cyber attackers who attempt to gain access to research and health data, personal information, perpetrate financial fraud, or try to disrupt operations by targeting people and technology. 

Duke has robust protections in place for its email system, but email impersonation attempts, which come from email addresses that may look like one belonging to the person being impersonated, are harder to stop. Using Proofpoint, a service already in use at Duke for protecting accounts against malicious email links and attachments, Duke blocks the vast majority of emails containing spam, phishing attempts and malware. In August, about 52.5 million emails bound for Duke users were blocked by Proofpoint.

And they’re dangerous.

According to the most recent Internet Crime Report from the Federal Bureau of Investigation, business email compromise scams, such as email impersonation fraud, resulted in $2.7 billion in losses for the nation’s businesses in 2018.

“These email impersonation attacks look like legitimate emails,” Bonnett said. “They come from actual email addresses. That’s why we need everyone’s help by keeping their eyes open.”

According to the Duke IT Security Office, most email impersonation attempts claim to be from employees in management positions and come from external email providers, such as Gmail. Often consisting of simple requests such as “Are you available?” or “Can I ask a favor?” these messages are used to initiate a dialogue that the attackers hope will lead to victims providing money, information or access to protected networks.

Any email claiming to be from a Duke employee that doesn’t come from a duke.edu email address should be treated with suspicion. Messages may contain malicious attachments designed to infect machines or embedded malicious links designed to steal credentials.

Duke University School of Nursing Dean Marion Broome had an experience with email impersonation earlier this year. A would-be scammer sent emails to her executive team claiming to be her. The message, which came from an email address disguised to look like Broome’s, asked these colleagues to purchase gift cards.

“They all figured it out quickly,” Broome said. “Two of them wrote me and asked, ‘Is this you?’ I said of course not. … People just have to check things out and never assume.”

To take the quiz and to learn more about other Cybersecurity Awareness Month events at Duke, visit security.duke.edu.

Have a story idea or news to share? Share it with Working@Duke.