Beware of ongoing spearphishing campaign

For the past few weeks, a large spearphishing campaign (e.g., a hacker/scam email that appears to be from an individual/business you know) has been underway, mainly targeting employees in Human Resources and Finance/Payroll. Given the success of this campaign at other large organizations, we expect similar campaigns to follow. Review the actions required if you receive a spearphishing message.

Beware of requests for sensitive documents

The spearphishing emails typically appear to come from an upper-level executive of the organization such as the President, CEO, or CFO and will make a simple request for sensitive documents. Any such request should be treated with suspicion and confirmed with the requester via phone call or separate email.

Report any messages you receive

In all cases of this email being received across UNC Health Care, the employee that received the email recognized the scam and appropriately reported the message to the , contacted the ISD Service Desk (984-974-4357 or via HEAT Cloud) or deleted the message.

Verify the 'reply-to' address

Another telling element of this spearphising campaign is the "reply-to" address. Even though the email appears to come from a legitimate member of the executive team, when the email is replied-to, the address will not be that of the requester, but rather an external address unrelated to UNC Health Care. If an email request from the CEO is suddenly being redirected to, it should be a good indicator that the request is not valid.

Example of spearphishing email

The following is an example of one such email that was received, and reported appropriately, through UNC Health Care's email system:

From: <CEO/President’s email address>
Date: February 27, 2016 at 3:06:01 AM EST
To: <an HR employee>
Subject: Wage Review

Hello <name>,

Kindly send me the W2's summarys for all employees in the company  for the 2015 tax year for i need to review them over the weekend. Have a nice weekend. Thank you.

<name of exec>

Thank you for your diligence and for helping to keep UNC Health Care and our information safe!

Filed under: ,