RIT Information Security Alert: Phishing Attempts with Executable Attachments

RIT people are receiving email with attachments that appear to be purchase orders. We’ve provided an example below. Note that the sender, subject line, and attachment name may all vary.

Sample Phishing email

Attachment: Order No. 1710010.gz [attachment name may vary]

From: Tracey Adams <order at batsam.de>
Date: Thu 1/5/2017 5:27 AM
Subject: [Executable Attachment]Order No. 1710010

Good Morning,

Happy New Year !!! 

Find attached our new purchase order 1710010 

Your confirmation order is required in the next 48 hours Indicating 
possible differences in dates, prices, 
quantities, ... otherwise we will consider you accept the 
conditions we indicate in the order. 

For any doubt, please, do not hesitate contact me. 

Best regards,

Tracey Adams 
Departamento de Compras / Purchasing Dept. 
Tlfn :. 947 28 11 08 - Ext 111 
Email:  order at batsam.de 
Warehouse working hours: From 09:00 am to 13:30 pm and from 16:00 pm to 18:00 pm from Monday to Friday.


How do I know this is a phishing attempt?

  • There’s no context around the order. There’s also an unexpected attachment.
  • Unfortunately, the days of looking at an email and knowing immediately that it's a phishing attempt are over. The sender address and any logo may look authentic. Pay attention to what the email is asking you to do, or if it has an unexpected attachment.
  • RIT does not send out emails requesting your password or asking you to validate your webmail or assist with quarantine by clicking on a link, etc.
  • Phish use a common technique of trying to impart a sense of urgency and trying to get you to supply the requested information quickly. 
  • You'll note that the sender address looks legitimate and may be from a compromised external email account.
  • For more information about Phishing, please visit the RIT Information Security Phishing page

What is RIT doing to protect me?

  • RIT blocks most phishing/malware attacks from reaching RIT e-mail accounts.
  • myMail.rit.edu has not been compromised.
  • McAfee VirusScan (McAfee HIPS) with up-to-date virus definitions will protect against viruses and many other threats that may be associated with phishing emails. (Antivirus software is available free to RIT students, faculty, and staff for home use from http://www.rit.edu/its/services/security/).
  • MySpam will block many of these phishing e-mails. However, senders actively modify messages to avoid spam traps, and that allows a few to slip through.

What can I do to protect myself?

  • Unless you’re expecting an attachment, don’t open it without ensuring that it’s legitimate.
  • Phishing attacks can come through emails, texts, social media messages, and phone calls. Be careful!
  • Before clicking on any link, hover your cursor over the link to determine where clicking on the link will take you. On mobile devices, you can press on the link until you get the pop up showing the actual destination for the link.
  • Delete the e-mail. If you clicked on the link, change your password IMMEDIATELY, scan your systems for viruses and spyware, and report the situation to your Help Desk (SCOB, NTID, ITS).
  • Report phishing attempts by creating a new message to spam@rit.edu and dragging the suspected phishing message into the new message. 
  • Visit the RIT Information Security Phishing page at http://www.rit.edu/security/content/phishing for information on keeping yourself safe from phishing attempts.

For More Information

Visit the RIT Information Security website and explore our best practices for keeping you and your information safer on line. <http://www.rit.edu/security>

REMEMBER: RIT will NEVER ask for your password through e-mail.

Quick Infosec Tip: We’re starting to enter tax season. Be alert for tax-related phishing and scams. We’ll talk more about these this month.