So, this one is the next new criminal low.
This particular phish spoofs a campus-wide security alert for a community college (confidential information blocked out) in Florida.
Given that it appears to be tailored to a particular educational institution and its students and employees, it’s a good bet that other educational institutions could see similarly targeted phishing attacks. From there, the campaign will move to other targets.
What makes this particular attack so infuriating is that it exploits current concerns over active shooters on education campuses — a sensitive issue that could likely generate panicked, reflexive clicks from recipients who are already on edge over the recent shooting at Marjory Stoneman Douglas High School — also in Florida.
This social engineering scheme could be easily used against any school system, state and local government, large private corporations (think of the recent mass shooting at YouTube headquarters) — or any organization that is likely to have established active shooter protocols and training in place.
If there is any saving grace with this phish, it lies with the awkward choice of language (“an emergency scare”), which should tip off most users that something is not right with this email. Those for whom English is second language might not pick up on that, though, and students whose native language is not English are quite common on college campuses.
We have seen several variations on this Scam Of The Week with the following subject lines:
- “IT DESK: Security Alert Reported on Campus”
- “IT DESK: Campus Emergency Scare”
- “IT DESK: Security Concern on Campus Earlier”
All three contain embedded links that lead to credentials phishes that spoof Microsoft — a large IT presence on campuses.
It’s worth noting that institutions of higher education are at higher risk for phishing attacks generally, as well as ransomware attacks.
I suggest you send this email to your employees, friends and family, whether they are in a college or not. Feel free to copy/paste/edit:
"Heads-up. You'd think it could not get any worse, but some bad guys have sunk to a new low. They are now exploiting recent active shooter events on campus to get people panicked and "click-by-reflex" to find out if a loved one is safe. This same phishing attack could be used against any organization with an active shooter protocol and training in place. If you see emails with titles like:
- “IT DESK: Security Alert Reported on Campus”
- “IT DESK: Campus Emergency Scare”
- “IT DESK: Security Concern on Campus Earlier”
Please think before you click, and look for any red flags related to a phishing scam. In any case, click on the Phish Alert Button to send this email to IT."
In this particular case, KnowBe4 is *not* providing pre-made templates to send out.
This type of template has what we call a high "runaway risk" meaning recipients will forward the simulated attack to authorities, the police, and/or call 911, causing a potential further escalation, downtime and possible harm.
We do not recommend KnowBe4 customers create this type of template and send it to their users either. Stick with messaging, PSA's, banners, posters and other awareness training methods.
This is the first time in our history that we recommend not sending a phishing template when we seen an attack like this.
Let's stay safe out there.
Warm regards
Stu Sjouwerman
Founder and CEO, KnowBe4, Inc.
