The NJCCIC received reports of a spear phishing campaign targeting the education subsector and masquerading as New Jersey State Compliance training. Observed activity correlates with blocked emails sent to New Jersey State employees and similar reports to State Fusion Centers across the United States. In one of the campaigns, a compromised email account of a school district employee was used to send fraudulent training compliance notifications. In attempts to appear legitimate and authoritative, the body of the email
contained a signature block that included “The office of Equal Opportunity and Access and Ethics Office,” which is the incorrect New Jersey division title of The Office of Equal Employment Opportunity, Affirmative Action (EEO/AA). The email contains additional red flags and typical verbiage to instill a sense of urgency and fear if the recipient does not comply with the requested action. The email text claims that the training must be completed within 24 hours, further stating that failure to complete the training may result in administrative fines, disciplinary action, and reporting to the applicable state agency. In one example (image above), the email states that the non-descript employee must complete the training defined in the Mandatory Training Policy 3364-25-127, an Ohio administrative code. All included links directed the user to a now-defunct website limiting analysis of intent.

What Should I Do?

The NJCCIC advises against clicking on links in unexpected emails from unverified senders. Users are urged to confirm unusual requests to complete training with your organization’s compliance officer or HR representative. Additionally, users are encouraged to verify a website’s validity before entering account information and remain cautious even if messages claim to come from legitimate sources.

If account credentials are submitted on a fraudulent website, users are advised to change their password, enable multi-factor authentication (MFA), and notify IT security personnel. Phishing emails and other malicious cyber activity can be reported to the NJCCIC and the FBI’s IC3. For any further questions, contact us here at Cyber Command.