Information Security Office Shares Guidance on Recent Simulated Phishing Email

Did the [U]Tech's Information Security Office hook you with its most recent simulated phishing email? It was sent to full-time faculty and staff from "mgmt" on Nov. 15, and had the subject "Employee Salary NOV’23."

Screenshot from an email inbox, displaying a single message from sender “mgmt”, with subject line “Employee Salary NOV’23” and a visible snippet reading “Case Western Reserve University D…” and a time of delivery 10:10: AM

If you look closely at the message, you can see several indicators that this message is not legitimate.

Here’s what the email looked like – notice the yellow "External" tag, which should alert you to be careful, along with the non-CWRU sender address of "mgmt@my.webshar.es":

Screenshot of the phishing email. Subject: Employee Salary NOV’23. The word “External” is highlighted in yellow, indicating that Google has added a tag to the email to mark it as sent from outside the case.edu domain. The message header information reads “mgmt <mgmt@my.webshar.es> to me.
Case Western Reserve University
Dear Employee,
As already announced, The year’s Wage increase will start in November of 2023 and will be paid out for the first time in December, with recalculation as of November.
View [link:salary_increase_sheet_November-2023.xls]
You will be informed of the details in advance by letter from the personnel department.
Regards
Case Western Reserve University Management

The subject line—"Employee Salary NOV’23"—should trigger suspicion: salary increases are typically processed in the summer. The body of the email mentioned the "upcoming" wage increases for personnel. This is an example of how phishing attacks prey on the recipients’ sense of responsibility, and create false urgency by implying you will lose access to something important if you do not act.

If you clicked the link in the email and then submitted your CWRU login credentials on the generic login page (which lacked any CWRU branding and didn’t use the university’s Single-Sign On interface), it took you to an educational awareness page with valuable tips on what to do if you receive a real phishing email. It also contained information about types of phishing emails, and what to watch out for in the future.

Two screenshots, side-by-side, that capture the visual presentation of the login page and password prompt. On the first screenshot, there is a colorful, Google-esque circle logo, and below it the text reads “Sign in with your one account”. There is a text-entry box labeled “Email” followed by a link reading “Forgot email?” The next line reads “Not your computer? Use Guest mode to sign in privately. [Link: Learn More]
[Link: Create account]
[Button: Next]
The second screen shot has the same colorful circle logo, and reads “Sign in”. The email address entered at the last screen, in this case “notreal@here.com”, is presented on the next line, followed by a text-entry box labeled “Enter your password.” There is a checkbox option to “Show password”.
[Link: “Forgot my password”]
[Button: Sign In]

If you were hooked and provided your real CWRU credentials, not to worry. In this instance, your information was not stored or harvested by attackers. If you realize you’ve been hooked by a real phish, you should change your CWRU passphrase as soon as possible, to something radically different.

You can reset or change your passphrase from the Single-Sign On page using the link there to reset or change your passphrase.

This is a screenshot of the CWRU Single Sign-On screen, with a circle and an arrow over the right-hand column of links to the pages for our self-service operations such as resetting your passphrase or contacting the Service Desk. The screen has two columns. The left-hand side reads: [Logo: Case Western Reserve University] [Text: Single Sign-On]
CWRU ID: example – abc123
[Text input box for username]
Passphrase:
[Text input box for passphrase]
[Link: Forgot your passphrase?]
The right-hand column reads:
QUICK LINKS
[Link: Activate CWRU Network ID]
[Link: Reset your passphrase]
[Link: Change your passphrase]
[Link: Service Desk]
[Link:UTech Home Page]

[Button: Login]

For more security awareness information, and to view our gallery of phishing examples, visit https://security.case.edu.