Skip to end of metadata
Go to start of metadata

WHAT TO DO if you receive a suspicious email:

Mark it as phishing using google's instructions for reporting phishing.

This marks the message as spam and creates a report for our security administrator, who can follow-up if needed.


Phishing is here and shows no signs of letting up. Most phishing we have observed falls into one of four categories:

  • Gift Card Scam
  • Extortion (common form: sextortion)
  • Payroll Redirection
  • Bogus Invoices


Gift Card Scam

In this scenario, a bad actor impersonates a supervisor. He creates an email account often at Gmail or He then sends a message only to this supervisors' subordinates. This is meant to appear as if he accidentally sent the message from his personal email account, perhaps on his phone.

The first email is brief, to the effect "Are you available?" The exchange then generally follows this format:

  • Scammer: "Are you available?"
  • Employee replies: "Sure. What's up?"
  • Scammer: "I'm stuck in a meeting. Can you do me a favor?"
  • Employee: "Sure thing."
  • Scammer: "I want to reward three team members, student workers, etc. Can you buy three $100 iTunes, GooglePlay, whatever, gift cards and send me the numbers?"
    Employee hopefully stops at this point, but if he does not, then the scammer will request more.


The bad actor claims that they have hacked the user's account, has installed spyware on the user's computer and has the user's contacts, browser history, and video recordings of the user "pleasuring themselves" to online porn. If the user does not send them a certain amount of bitcoin they will send the material to all the user's contacts. As evidence, the scammer will claim to have sent the message from the user's own account. This is most commonly sent from some random email account--only the display name has been changed to appear as the target's account. Alternatively, the scammer will reveal a user's actual password in the subject line and/or the message body. This is a password was compromised in one of any number of major credentials leaks for example LinkedIn, MySpace, Yahoo, PlayStation Network, etc.

Payroll Redirection

The bad actor requests instructions for changing their payroll deposit information or supplies new direct deposit information. The payroll office is aware of this scam and simply reports them as phishing. Employees need not worry that their pay will be redirected without their consent as Carleton only changes payroll direct deposit information in person at the HR office and only after confirming the person's identity with an ID.

Bogus Invoices

The bad actor sends a false invoice to someone in the finance office requesting payment for a product or service. This is perhaps the most difficult phishing attempt to detect. The messages are sent to a very small number of users, often only one. The perpetrator will do web research to identify likely vendors involved major projects, like construction projects. The dollar values can be high. The user needs to be observant of the return email address, confirm this is from a vendor/vendor representative we do business with, and confirm the contact information we already have on file.

Definitions and Explanations


Messages that are crafted to appear legitimate are called phishing.

Examples include messages from "system administrators" regarding account issues, or from banks regarding bank account issue. These campaigns generally blindly target a large number of users, and often include letterhead and logos. It appears official.

You can always check the validity by contacting the person or business independently by looking up contact information on their website.

Spear Phishing

Spear phishing is a type phishing that is generally tailored to a small number of users.

Details for these campaigns are harvested through web research. Collection of institutional letterhead, logos, and message formats are common. They tend to include specific detailed information about current projects that may be posted on the website or refer to specific people or offices in an effort to make the message seem more legitimate. Because of the specificity and small volume, these are difficult to detect automatically.

As with general phishing, you can check the validity of a message by contacting the person or business independently.


The bad actor will create an email account that appears like it might be a personal email account, and set the display name to be the same as their target.

They are not trying to make the message appear like it is coming from a legitimate account - most of these are from gmail.

Google will try to detect these and warn with a banner at the top of the email. Because anybody can create email accounts with any name, this is very difficult to prevent.

Check the validity of messages by contacting the person through a known good email address or calling them.


The bad actor will send a message and by either setting up an unauthorized mail server or simply changing the display name of the email to appear to be coming from an or another legitimate source.

Spoofing can be identified by examining the message headers – check out Google's instructions for viewing message headers

  • No labels