Phishing
is the now well-established scam process consisting of sending an email to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft.
The Support Desk has become aware that emails have been sent to SMCM email accounts with a subject line similar to "Your account will expire in 2 Days” and "Final Notification". This email is requesting you provide your email logon information. Please do not reply to this email or click on links in the email. This email is an attempt to obtain your username and password information.
Things to remember:
Reputable organizations NEVER ask for personal identifying information in an email. Examples include any combination of the following: name, address, telephone number, social security number, username, email address, passwords, date of birth, government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number, student identification number, computer’s Internet Protocol address, or routing code.
- You should never click on any links from an email which includes an unsolicited private information request.
- If unsure, it is always best to pick up the phone and call the company directly.
Phishing is a social engineering attack (which is why spam filters are often ineffective). Prevention is best achieved from user education and awareness.
What to do if you accidentally happen to send along your password:
If you accidentally succumb to a phishing scam on any of your College or personal accounts and send along your username and password there are 2 things you should do immediately:
- Login to your account and change your password – again immediately.
- Alert the account system administrator. This will enable them to monitor your account for irregular behavior.
Don't Get Hooked!
Bots create the majority of phishing emails:
- Bot: a robot; a piece of software designed to complete a minor but repetitive task automatically and on command. There are good bots and bad bots. An example of a good bot is one that is used by Google to search the Web for relevant pages. They do not harm anyone's data, but are merely "surveyors" that bring data back to Google. An example of a bad bot is one that is written by a programmer with bad intentions; they use bots to generate mass emails asking for information, such as banking information, addresses, login names, passwords, etc. These are "phishers."
This is an example of a phishing email message:
St.Mary College Webmail : Update Your Email Account
St.Mary College [nu_telecom@sbcglobal.net]
Sent: Saturday, September 26, 2009 12:53 AMDear E-mail User,
To complete your Account Verification process, you are to reply this message and enter your Username and Password respectively in the space provided below this email.You are required to do this before the next 48hrs of receipt of this e-mail, or your mail Account will be de-activated and erased from our Database. Your account can also be verified at:
https://webmail.smcm.edu/OWA/
Enter Username ( )
Enter Password ( )Thank you for using St.Mary College Webmail
There are several things wrong with this email that you can use to determine that it was a phishing attempt:
- The title
- The from field
- The time it was sent
- We don't "erase email accounts from our database." Unless you've graduated, you don't have to worry about your email going away anytime soon.
- The link most likely doesn't go to the Web site listed. Although the listed Web site looks legitimate, the actual Web site it takes you to probably is not. The creators of these bots that generate these emails can create a Web site that can look like our Webmail login site (or your bank website, etc.), but the link will take you somewhere else, and by the time you've clicked on it, it's too late.
- CTSS WILL NEVER EVER ASK FOR YOUR LOGIN CREDENTIALS. EVER.
For more tips on “How Not to Get Hooked by a ‘Phishing’ Scam” go to the following links by the Federal Trade Commission and antiphishing.org:
