Phishy Days at LSE

Report suspicious emails or unusual account activity to phishing@lse.ac.uk

27 March 2023

If you’re reading this, you may have seen a significant uptick in phishing emails landing in your LSE inbox. Please take a couple minutes to read this article to review the signs of social engineering. For examples, you can swim over to our Phish Bowl here

Why have there been so many more phishing emails in my inbox?

Recently, a critical zero-day vulnerability affecting Outlook was discovered in the wild (for the curious, see CVE-2023-23397) – what this means for you at LSE is more bad actors are emboldened to try and hack your Outlook account through phishing. 

 

Remember the signs of social engineering:

  • A sense of urgency 
  • Threatening (or flattering!) tone 
  • Relates to your account (ex. change your password), money (ex. here’s your invoice) or signature (ex. review and sign this document)
  • Piques your curiosity! Ex. listen to the voicemail attached

Phishing emails want you to click on an attachment or link and input your LSE credentials quickly, without asking questions, and without telling anyone. Some also want to steal your card payment details or other personally identifiable information (PII).

Why can’t LSE Data & Technology Services (DTS) block all phishing emails?

  • DTS can and does block malicious senders, but this is an ongoing battle – one bad IP or email address associated with sending phishing gets blocked, but another simply gets created by a bad actor and the cycle continues. 
  • We cannot block all Gmail, iCloud, Yahoo, and other third-party email domains
  • We have also seen bad actors abuse legitimate services – for example, PayPal or Adobe – to send a phishing email, so that URL is clean, but if you click, it takes you to another document, and that one has a malicious link, and this cannot get detected by Outlook anti-spam checks

 

That is why technical controls alone cannot stop the wave of phishing emails – we also need YOU to recognise the signs of social engineering and report any suspicious emails to phishing@lse.ac.uk

  

What do I need to do?

Due to a high volume of reports, we may not be able to reply to everyone. Some of our initial responses need to be brief and standard, but every report helps protect LSE, and we want to keep hearing from you. Please make sure you do the following steps: 

  • If you’re unsure about the legitimacy of an email you’ve received, always try to verify the information using a trusted source, and importantly, outside of the email chain. Before clicking any links or attachments from an email, always try to make sure that it’s real. Below we have some examples, but this applies to anything you’re unclear about – for example, if an email claims to come from a colleague, but is confusing/unexpected or comes from a non-LSE email address, check with them through Teams or even in-person!
  • Report suspicious emails as a .eml attachment, there’s a quick 2-minute YouTube video explaining how here (just drag and drop the email into a new message)
  • IF you clicked AND entered your password – you need to change your LSE password ASAP and email phishing@lse.ac.uk and a member of the Tech Support team will help you through the Compromised Account Procedure
  • If you clicked and didn’t enter your password, you are not likely to be compromised, but it is very important to email phishing@lse.ac.uk for detailed guidance, you may need to run several anti-virus scans and install other security updates. 

The latest examples of phishing reported at LSE can be found in the phish bowl here.