It has recently come to our attention that libraries around the state have been receiving spoofed emails containing fake invoices and embedded links from what appears to be state employees’ email addresses. This includes spoofed emails from LDN staff members, including division director Jennifer Peters. We are currently monitoring the situation. It is not standard agency practice for program staff to send invoices. If you receive an email that appears to be from the Texas State Library and Archives Commission, please feel free to contact us to verify its origin. Our staff directory is found on our website, or you can call (800) 252-9386 (toll-free). You can also email us at firstname.lastname@example.org.
In light of this evolving situation, we want to make sure you are aware of a few tips to help you spot spoofed or phishing emails, as well as resources where you can learn more.
What is spoofing? Spoofing is when cyber-criminals create fake, official-looking emails which instruct you to take precautionary measures to protect your finances or reputation. They’ll often embed corporate logos or other identifying graphics just to make things seem more authentic. Like a wolf in sheep’s clothing, they claim to warn you that identity thieves are targeting you and action must be taken to prevent it. In fact, the senders are the very identity thieves they purport to be protecting you from. The spoofing email urges you to click on a link within the message. Doing so is a mistake: it executes malware – a malicious file that damages your operating system, important applications, and even your whole network.
What is phishing? Phishing is a form of spoofing that incorporates an additional fake web page that ‘reels’ you in to believing the hacker is a trusted source. Like spoofing, you receive a legitimate-looking message, but the link within takes you to an often realistic-looking, but totally fake website in your browser. The bogus website asks you to enter in sensitive, personal, or confidential account information, such as login/password, social security number and even bank account information. An example of phishing would be asking for personal information in an email that appears to come from a government employee, but in reality comes from someone unassociated with the agency!
How can I tell a fake email from a real email? It can sometimes be difficult to tell a fake email from a real email. A few key items to look at when confirming the legitimacy of an email are:
- Spelling or grammatical errors – these could be a clue that the email is not legitimate.
- URLs included in the email – always check the destination of URLs by hovering over the link. Links that send you to the Texas State Library website should begin with https://www.tsl.texas.gov.
- Telephone contact information from the wrong area code (TSLAC should be 512).
- Check the email message header information (instructions for how to view in MS Outlook) to confirm whether the email addresses in the FROM, REPLY-TO, and RETURN-PATH are the same.
- FROM email@example.com – This appears to come from a legitimate source on a spoofed message.
- REPLY-TO firstname.lastname@example.org – This can also be spoofed, but a lazy scammer might leave the actual REPLY-TO address. If you see a different sending address here, the email might have been spoofed.
- RETURN-PATH hacker@ tryingtophishyou.com – This can also be spoofed, but a lazy scammer might leave the actual RETURN-PATH address. If you see a different sending address here, the email might have been spoofed.
- SOURCE IP address or “X-ORIGIN” address – This is typically more difficult to alter but it is possible. To determine if it’s a phisher, you would have to know what IP your mail is coming from, and you would need to compare what’s listed here to that. If different, it’s coming from a different mail service.
If you receive an email that definitely looks fake, delete it right away. You can also check with the sender to see if it was legitimate. Always be extremely cautious about clicking on any links or files that come from an unexpected, suspicious email. As a rule-of-thumb, it’s always best to visit a trusted site via a clean link in the browser first, before ever using a link within an email – just to ensure you are logging in to the legitimate site and not a fake, phishing one.
Here are a few additional resources that may help you in learning about phishing and spoofing.
- Tech Tip: What is phishing and how to report it? Explanation on phishing from the Penn State Library.
- Phishing Quiz From Google, this quiz walks you through example phishing emails to help you better understand how to identify fake communication.
- 10 Tips on How to Identify a Phishing or Spoofing Email
Again, please do not hesitate to contact us directly if you wish to confirm the legitimacy of any communications from the Texas State Library and Archives Commission.