New Paltz Information Technology Services
The page you visited was not the actual my.newpaltz.edu login page. That page, as well as the email you received, were setup by Information Technology Services to simulate an actual phishing attack.
Why are we doing this?
We are trying to raise awareness of the actual attacks that the college is experiencing. Within the last month, at least four departments were targeted by cybercriminals. The messages in each of these cases used the same tactics we are simulating - they would send a message to all publicly listed members of a department, and make the message appear that it is coming from the head of that department.
Though the email you clicked on, and the page you provided your information to were NOT setup by criminals, it used the same techniques used by criminals to make you believe that their message was legitimate. Studies (and our own experiences at New Paltz) have shown that raising awareness through simulated phishing campaigns is one of the most effective ways of raising awareness.
Why are these messages not being blocked?
The vast majority of these are getting blocked or marked as Junk. Unfortunately there are so many attacks launched by these criminals that some percentage will always get through.
How do I recognize that these messages are not legitimate?
To start with, let's look at the actual email. Below is an example of the email that was sent, with a few key areas highlighted. In this example, the message 'appears' to come from Paul Chauvet - but in the one you received it would have appeared to come from someone in your department.
We've taken the email and highlighted a few points that can be used to recognize this message as not being legitimate. These same techniques can be used for messages sent by actual criminals in the future.
- If you hover over the link - you'll see the actual destination at the bottom. This is the most important indicator of a message being legitimate or fake.
- Note: If you are on a mobile device such as a phone or tablet, you can't over (as you don't have a mouse) but in its place, you can press and hold for a few seconds on any link to see the destination.
- The message would have looked like it came from someone in your department. If that person has an profile image/avatar set, then you would have seen that too. Though most phishing messages will not come from an actual @newpaltz.edu address - they will if someone else on-campus has already been compromised.
- If the message doesn't look like something the sender would have emailed you - or if you are not expecting something like this from them - contact the sender (via phone preferrably - don't just reply to the email) and ask them if it is legitimate.
When you click on the link, you're brought to a page that looks remarkably like the login page used for the real my.newpaltz.edu. There's two red flags here:
- The web address is again, my-newpaltz.com - NOT my.newpaltz.edu
- Note next to the web address, the explicit "Not secure" message. This means the website you are going to isn't encrypted. That doesn't mean that if the site is encrypted that it is legitimate - but if it is not - it is certainly not safe to submit login information to.