For Faculty Archive, For Staff Archive

Lessons from last week’s phishing simulation

Last week, you may have received an email with the subject “Receipt for Your Payment to Home Chef.” This message was a phishing simulation sent out by ITS.

Many individuals reported that PayPal-related phishing scams are some of the most commonly seen in their mailboxes, and with good reason. Scammers know that financial-related emails are likely to generate a recipient response at a higher rate than other methods. To help you to distinguish this type of phishing email in the future, here are the red flags that indicated that the message was not legitimate:

Sender email address: Carefully inspect how the sender’s name and email address are displayed, then compare it to one of your trusted contacts. In this case, the sender’s name is receipt@paypal.com, and the return email address is paypal-receipt@notification.accountsupport.finance.me.com. The email address reveals the true source. You may need to hit reply to see additional information, as the reply-to address can be different from the sender address.

Recipient address (you): Is this an email you would normally receive at work, even as a PayPal customer?

Salutation: This clue can be a bit ambiguous, but PayPal explicitly states on their website that every email they send out will address you by name. If you’re a PayPal customer and you receive an email that doesn’t address you by name, that’s a red flag. If you aren’t a PayPal customer, the fact that you’re receiving any email from them is a red flag.

Link destination: Hover over the links in the email. Instead of taking you to PayPal, the link starts with 2fa.com-token-auth.com/. At Drake, these links are sometimes masked by urldefense.proofpoint.com, our email filtering system, which can add confusion. If you don’t see urldefense.proofpoint.com or the name of the organization in the link, that’s a red flag. If you’re a PayPal customer, an easy way around this is to open a web browser and go to the PayPal website that you know to be legitimate, which can be found via a web search or emails you’ve previously received from PayPal.

There is no shame in falling for a phishing email. Scammers are becoming experts at making their emails seem real, and most of us will fall for one at some point. What matters is the action you take after the fact. If you think you may have clicked on malicious link or attachment, or entered information into a fraudulent website, contact ITS quickly at informationsecurity@drake.edu. We can help you take steps to prevent fraud or a data breach from occurring.

— Peter Lundstedt, ITS