2 November 2022
If you’re quickly scrolling through your inbox and see a short, eye-catching email subject line sent from your manager or head of department, it might be phishing! Subject lines in the past have been:
Hey, are you there?
I’m in a meeting
Quick request
How are you?
The email typically is a request for you to help the sender, asking if you have a minute without sharing more details. It claims the sender is busy in a meeting and cannot call you.
Sometimes, the email will emphasise discretion and flatter you, saying you’re being trusted to handle an urgent matter. It says they need a favour from you, for example, they want you to put them in touch with somebody else at LSE. Most stress that they’re awaiting your reply.
The sender is depending on you to reply quickly. This is called “whaling” – when a phishing email “spoofs” or impersonates a more senior member of staff to elicit a fast response. The sender could manipulate the email header so the sender name imitates how Microsoft Outlook/Teams usually abbreviates full names. It may sign off with a first name, or it may include a forged email signature.
If you respond to this type of phishing, the sender will try to engage with you in real-time. Most recent cases reported at LSE have asked recipients to purchase gift cards. In some cases, colleagues reported immediately sharing their personal phone numbers with the sender.
Although this type of phishing doesn’t usually steal LSE credentials (no fake LSE login), responding can have consequences even without giving away your information – often, replying to these emails suggests to a bad actor that you could be vulnerable to other kinds of attacks, resulting in more attempts to break into your account and LSE generally.
How can you avoid replying to this type of phishing:
- Don’t reply on your phone. When we’re on the go or rushing, we’re less likely to recognise signs of social engineering. Phone screens are small, and the Outlook app may minimise the email header, making it more difficult to verify the sender.
- Pause and double check the email sender line. You may see it’s not from an @lse.ac.uk email address, but instead sent from a @gmail or @icloud address.
- Bad actors can spoof LSE email addresses too. It is very easy for a bad actor to manipulate the email header and make the sender seem like an @lse.ac.uk address.
Report all suspicious emails as an attachment to phishing@lse.ac.uk. You can also report them to UK National Cyber Security Centre at report@phishing.gov.uk. We can analyse the detailed message header for you to determine if the sender is at LSE or if they are spoofing.
If you shared your phone number:
- You may receive more “smishing” or SMS/text message phishing. You should report these to phishing@lse.ac.uk and you can also forward suspected smishing messages to Action Fraud at 7726 if you have a UK phone number.
- We recommend removing your phone number from your MFA methods. Bad actors could spoof your number to intercept MFA requests, thereby compromising your LSE account. Use a personal non-LSE address as your secondary method and set up the Microsoft Authenticator App as your primary MFA method here.
To see recent examples of this type of phishing, please dive into our phish bowl here. We regularly add new phishing reported at LSE and share tips on how to avoid falling for them.