Anatomy of a Phish: What to Watch Out For

Anatomy of a Phish: What to Watch Out For

AnitPhish (Anti-Phishing Campaign)On Monday, October 3, a phishing email was circulated to a large number of SMU accounts.  This one was extremely well crafted and more difficult to ascertain the validity than many we have seen. We thought it would be a good idea to highlight some of the potential flags in the email that should raise suspicion.

A screenshot of a phishing email.

  1. Sender: while this recent message came from a valid SMU account and address, the employee was from DEA.  DEA is not the right department on campus to send information about Human Resource issues! Check to make sure the message is coming from the appropriate person.
  2. The To: field is blank:  The message was sent with an undisclosed population in the BCC field.  Although the BCC field is often used to hide a large recipient list, it is at least something to be mindful of particularly when it is asking for you to do something.
  3. Expiration in 24 hours: The sense of urgency in the email is definitely a flag. When is the last time you received an employee assignment for training that only allowed one day to complete? If this is the first time you’ve seen an “assignment” or a request and there is a very short deadline, exercise caution.
  4. Hyperlink: If you hover over the link, you’ll notice it is a very odd path that is not an SMU address or an expected URL.  This is a giant red flag to catch phishing attempts! Always check the link by hovering the mouse over the text without clicking on the link itself.
  5. Logon page: If you clicked on the link, you were taken to a webmail sign-in page
    1. This is not our typical sign in page, and the URL is not from
    2. It was also taking you to an email sign in page.  Why would a training site take you to an email page? Certainly there would be a much better way to manage a training calendar than within a designated email account!
      An example of a phishing page designed to appear as a webmail login page.
  6. The disclaimer about the anti-harassment policy refers to a County-mandated training program. Since we are a private employer, many of these mandates would be coming from SMU—not Dallas County.

There were several who fell victim to the message above which has spawned additional phishing emails this week.  Please continue to be extremely wary of phishing attempts, and let us know if you catch one!  Either contact the IT Help Desk or directly forward the message as an attachment to As always, Security Starts with You!

Print Friendly, PDF & Email

Published by

Rachel Mulry

Associate CIO for Planning and Customer Service Office of Information Technology