Unhook the phish: document-sharing scams

Welcome to Unhook the Phish, a series presented by the Fermilab Cybersecurity Team. This series offers a deep dive into common email scams (or “phishing”) by explaining the traditional features of these messages, how they try to trick you and easy ways to spot them in your inbox. If you ever suspect that you have received a malicious email, please forward it to the Cybersecurity Team at cybersecurity@fnal.gov. By doing so, you will be entered to win a collectible Fermilab trading card as a token of appreciation for your efforts.

Jessie Pudelek

When it comes to phishing emails, attackers will take advantage of any scenario to trick unsuspecting victims into clicking on a malicious link or giving up their credentials (username and password). One effective method of doing this is by crafting a message that appears to be coming from a popular cloud service, such as OneDrive, Dropbox, Google Drive and SharePoint. Typically, these messages claim that a document has been shared with you via one of these services and that you must click on a link to view the document. Clicking on the link will take you to a web form to steal your username and password instead of taking you to the cloud service.

Document-sharing scams can be even trickier if the attacker chooses to host their malicious content on the cloud service itself. This may happen because cloud services will host content from all customers, both reputable and disreputable, and they may not have the time or resources to check all the data stored there for malicious content. In these cases, the email you receive will legitimately be coming from the cloud storage service, but the content itself, such as a hosted document, will be malicious. If this happens, either the document will have an embedded malicious link, or it will ask you to enable Macros to view the contents. Enabling Macros on a document will trigger malicious code that launches malware onto your computer. When the source of the message is legitimate, it becomes much more difficult to discern the validity of the entire email, including the document.

An added element of difficulty with these types of messages is that many companies use these cloud storage solutions for day-to-day tasks, meaning they are trusted services. In fact, Fermilab uses SharePoint and OneDrive as part of the Office365 suite, and these products are encouraged for collaboration. If you regularly receive emails from OneDrive, it becomes more difficult to distinguish the legitimate from the malicious ones.

The following screenshots show some examples of document sharing scams.

Since document-sharing scams are one of the trickier forms of phishing to identify, it is important to be extra careful when handling these types of messages. Add these tips to your anti-phishing toolbox to help you avoid these scams.

  • Educate yourself with the cloud storage providers offered by Fermilab and the ones used most often by your team or department. Do the same for any that you use in your personal life as well. The purpose of this is to be aware of which providers you may get emails from. If you never use Google Drive in your personal or work computing, this will alert you that something is off if you get a message claiming to be from this service. And be aware what a real email from your usual providers looks like. If you get a message that does not match what you are used to seeing, that’s an indicator that this could be a phishing email.
  • Observe the elements of the message. Do you recognize the email address or and the name of the individual claiming to be sharing a document with you? What document is the sender sharing? Are you familiar with the document included in the message? Are you expecting a document to be shared with you via this cloud storage provider? If you answered no to any of these questions, avoid clicking on any part of the message, and confirm the legitimacy of the document by following the next two bullet points.
  • Call the individual who shared the document with you if you recognize the sender. It is important to use alternative methods of communication outside email, such as the telephone, to confirm if they instigated this action. Verbal confirmation not only ensures that the document is indeed from a trusted source but also helps to rule out potential email compromise or spoofing on their end.
  • Log in to your cloud service provider to access the shared document without having to click on the link. Real shared documents from trusted sources will be accessible from your online account. By navigating directly to the site, you bypass clicking on anything in an email. This method is the safest way to access the information you need.

Looking for more information about phishing and other cybersecurity resources?

Check out our website: securityawareness.fnal.gov.

Email us at cybersecurity@fnal.gov for general questions and to report phish.

Jessie Pudelek is a computer security analyst at Fermilab.