Carnegie Mellon University
Computing Services  ›  Information Security Office  ›  News  ›  2019  ›  Email Impersonation Scams on the Rise at CMU
August 01, 2019

Email Impersonation Scams on the Rise at CMU

Email is the primary form of communication for students, staff, and faculty here at Carnegie Mellon University. Email provides users a quick and reliable way to effectively communicate with coworkers, friends, and family. Though email communication is essential in a digital world, it can also be dangerous. Cybercriminals are taking advantage of email based communication by creating and delivering impersonation based scams to Carnegie Mellon users. The Information Security Offic has received reports of email impersonation scams that appear to be sent from key officials, like Deans and Department heads, or even the university itself. The bad actors are able to achieve seemingly realistic emails through the use of email spoofing. 

What is Email Spoofing?

Email spoofing is the forgery of an email so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a popular tactic used in phishing and spam campaigns because people are more likely to open an email when they think it has been sent by a legitimate or familiar source. 

The intention of the attacker is to trick their victims into:

  • Clicking on hyperlinks to take over the victim's computer and/or steal user credentials
  • Opening a file attachment to install ransomware or other malicious code on the victim's computer
  • Making money transfers, or paying fake invoices
  • Purchasing gift cards and transmiting the claim code on the back

A common tactic scammers use is to send emails using the display name of someone within the organization and an external email address. Some users won't notice that the email didn't come from the user with the display name and deal with the email as if it was genuine. 

Example: Farnam Jahanian <presidentcmu@gmail.com> 

Other methods rely on tricking the eye by using a domain name that looks like a trusted source. Purchasing domains that are similar to the ones impersonated is a common strategy that is often used in phishing attacks.

Example: Farnam Jahanian <official@andrewcmu.com> 

These types of attacks are especially successful when viewed on a mobile device since most phone-based email programs don't allow users to hover over links or to see the full email headers.

Recognizing an Email Impersonation Scam

From: Carnegie Mellon University <ij@uc.pt>

Date: Thursday, July 18, 2019 2:35PM

Subject: You have 1 important pending message

Hello,

You have 1 important pending message from IT Service Desk.

View * <https://www.eterniaquartz.com/wp-content/CMU/login.cmu_edu.html>

 Thank you,

To learn how alerts like this one help you to protect your webmail, visit School Help Center.

1. Check the "From" address line in the email. If you receive an email from a sender that you may be familiar with, always remember to check the "From" address line to make sure that the email is coming from a legitimate source. If viewing the email from a smartphone and you have suspicions of where the email originated from, open the message up in an email client on your computer to view the email domain name. 

2. Beware of urgent language. These emails oftentimes come with a sense of urgency. Phishers in particular tend to use this, attempting to elicit panic in their victims. A frazzled and fearful victim can be more apt to follow instructions in the email. 

 3. Look for generic language. Scam emails often contain generic language and/or greetings that could apply to anyone receiving the message. 

4. Avoid clicking suspicious links or downloading suspicious attachments. Cybercriminals will usually create a spoofed webpage where you will be directed to enter your credentials or bank account information. This particular attack redirected users to a fake login.cmu.edu webpage. The official CMU login page will always begin with https://login.cmu.edu.

5. Be careful of unexpected, out of character emails. When receiving a message, ask yourself if this is normal communication from the sender by confirmirming that the wording and signautre of the message is consistent with other emails from the same sender. 

Additionally, learn how to read and understand email headers to view who the message was really sent from. An email header is a block of information about the message that includes the sender, the recipient, the date, sending and receiving time stamps and the servers that handled the transfer of the message. There is more information on understanding email headers at the following website:

https://mediatemple.net/community/products/dv/204643950/understanding-an-email-header (link to outside source)

What to Do If You Receive an Impersonation Scam

If you receive an email that you believe is an impersonation scam, the Information Security Office asks that you:

  • Do not respond. If you receive an email, job offer, or request that seems suspicious or you're unsure of, do not respond as it could be from a bad actor looking to steal money or personal information.
  • Forward the email and headers to the Information Security Office. In order to investigate reports of email phishing the Information Security Office needs to obtain the full message - body, full headers and any attachments. Forwarding the message typically does not include the full headers. More information on how to view and forward the email headers can be found on the Email Headers webpage.
    • The Information Security Office can be reached by email at iso-ir@andrew.cmu.edu or by phone at 412-268-2044.