Anyone who uses the Internet--particularly those who use the Internet for commerce--should be aware of "phishing" scams. These scams are currently on the rise and show no signs of abating any time soon. Phishing is an "attack" on email and Web users in an attempt to gather personal information from you and potentially separate you from your hard earned cash. "Phishers"--i.e. those who perpetrate such scams--use fraudulent email coupled with a cleverly crafted Web site designed to trick Web users into divulging personal information. They primarily seek personal financial information such as credit card numbers, bank information, account information, passwords, Social Security numbers, etc. The email and Web pages are cleverly crafted versions of well known banks, credit card companies, online merchants such as PayPal and eBay. Phishers attempt to trick unsuspecting recipients to visit their site and enter whatever personal information the phishers are seeking.
According to several online security sources and recent reports on the University campus, the number of phishing scams are on the rise. Along with the increase in the number of scams, the sophistication in the presentation and detail the authors, or "phishers" of the scams put into their designs has dramatically increased. They go to great lengths to make their presentation to their intended victims as realistic as possible.
What can you do to avoid Phishing Scams?
Be suspicious of any email with urgent requests for any form of personal or financial information.
The phishers will use many different tricks to lure you in, such as exciting news that it is a special deal this day only, upsetting news about your account, or any other possible "urgent" enticement to get you to follow a Web link. On the Web page they will seek additional personal information, such as credit card information, account information, etc. These emails will usually NOT be personalized as a valid message from a bank or online merchant generally would be (some may be addressed to an email address--not necessarily yours!).
The phishers will use bulk mail, open relays or any form of email delivery they can grab quickly, but not be traced back directly to themselves. They will craft a special reply-to address in the message to make sure that you think it's from a real business, but then place a caveat at the bottom of the email effectively stating "Don't reply to this message ". The reason is that this is not a real email from the company and the phishers cannot receive the email being replied to. This is the reason they make you go to a Web page to enter your information.
In addition, you should never click on a hyperlink in an email unless you are absolutely sure you trust the sender (and maybe not even then). The resource at the bottom of this page contains information about a particularly sophisticated attack that can spoof the address bar in your Web browser when you click on the embedded hyperlink in a phishing email. That is, the browser window that pops up will look and feel like a real browser, but the phisher has altered the Address bar (where you enter the URL) to look like a secure Web site (even using "https" in the URL), when, in fact, the Web address is completely fake. This attack is so malicious that the phisher can even follow you when you surf the Web using the fake browser window, logging the Web sites you visit and possibly even recording any passwords you may enter.
In many cases the intended victims do not even do business with the supposed company sending the email. If you don't do business with anyone who sends you an email requesting such information, it is a probably a Phishing Scam.
Remember that a company you do business with will usually know who you are, so the message will include your real name or other proper identification information. Many companies now send digitally signed email. They also already HAVE your financial information, personal data, etc., so why should they need to email you seeking such information?
- If you suspect the email isn't real, do not follow any link in the email to take you to another Web page to enter personal information.
The Web site may look real in the email, but it will take you to the phisher's Web page where they will try and get you to enter the information. If you think you need to contact the company, you should log directly onto a business' Web page by entering their Web address in the Address bar of your Web browser, or simply call them.
Never enter personal or financial information into any email form.
Simply put, it is not secure and usually a dead giveaway that something is up. Always use a secure Web site to send information to a business. Or place a phone call to the company's proper phone number and NOT a phone number found in the email.
Secure Web sites are mandatory for such information.
Secure Web sites will begin with "https:// " instead of "http://" (notice the "s"). This indicates a secured Web site. Additionally, a Web browser like Internet Explorer should show a little padlock in a locked position in the bottom of the browser window (other browsers have their own method of indicating a secure browser -- when in doubt, check the Help information for the browser or contact the IT Help Desk).
Regularly log into online accounts and check your statements.
If you have any online accounts, you should check into them monthly. This will help ensure that only you are utilizing these accounts. Always report any suspicious transaction to your bank and credit card companies.
Take a Phishing Quiz!
Follow the link below to see if you can spot the Phishing scams! This is trickier than it appears, IT's own head of IT Security only scored an 80%!
What to do if you encounter an instance of illegal file sharing?
- REPORT IT!
Contact the IT Help Desk at 573-341-4357 (HELP) and report the incident. We will look into the situation and notify the proper authorities.
For more information please visit:
- Anti-Phishing Workgroup: http://www.antiphishing.org/