We have all heard a great deal about identity theft. Identity thieves and other criminals often use "phishing" scams, one of the fastest growing internet crimes, to steal personal information from a vast number of people. Once the thieves have your personal, sensitive or financial data, they may:
- Create financial havoc for you by
- opening credit lines
- getting loans
- declaring bankruptcy using your name.
- Buy "big-ticket" items like computers that they can easily sell.
- Embroil you in legal problems by giving your name to the police during an arrest.
- Sell your information to other thieves or even organized crime for further exploitation.
What is "Phishing"?
Phishing scams use various means:
- 'spoofed' e-mails
- 'spoofed' text messages
- fraudulent websites
- pop-up windows
- telephone calls, voice messages or fax
These are designed to fool recipients into divulging personal financial data such as credit card numbers, debit account number, bank account number, account usernames and passwords, social security number, [and other sensitive information]. By hijacking the trusted brands of well-known banks, online retailers, and credit card companies, phishers are able to convince up to 5% of recipients to respond to them," according to the Anti-Phishing Working Group. Phishing scams have also targeted Universities, for example by spoofing pages from a Bursar or Registrar office.
Why are phishing scams so popular?
Phishing scams are very effective because they are a form of "social engineering." Social engineering takes advantage of the interface between people and technology. People often trust information they receive via e-mail or from a website. However, it is simple for scammers to disguise (aka spoof) the origin of their e-mail or the location of their websites. These are done through spoofed e-mail, spoofed text messages, URL redirection, and browser hijacks, such as injection attacks.
Everyone is potentially a target for phishing scams.
How do I spot a phishing attack?
Phishing web sites often closely resemble legitimate websites, even to the point of using the graphics and links straight off of the legitimate website. While phishing tricks are constantly evolving, one common trick is to have a login screen in a pop-up window, which allows them to copy the legitimate site exactly.
E-mail or text messages from phishers typically include upsetting or exciting (but false) statements in their e-mails/text to get people to react immediately. They also often ask for information such as usernames, passwords, credit card numbers, social security numbers, and other sensitive information. Phisher e-mails /text messages are typically NOT personalized, while valid messages from your bank or e-commerce company generally are.
What should I do if I am targeted by a phishing scam?
If you receive an e-mail/text message you suspect is a phishing scheme, confirm through other means that the e-mail/text message or the website/phone number it directs you to, is legitimate. This may mean that you need to contact a department within the University, or the Customer Service division of a bank.
For central University functions such as registration, bursar, or admissions, the familiar U of M login page should appear for any real U of M pages that ask for personal information. If in doubt, remember that most functions are available by going to the OneStop web page. Follow the links there rather than the ones in the e-mail.
Recommended steps to thwart phishing scams:
- Type in to your web browser the main site mentioned in the e-mail. Examples:
- Check to see if the site has an announcement about phishing attacks targeting it. Examples:
- http://www.wellsfargo.com/privacy_security/fraud_prevention/ (found under " Fraud Prevention Guide")
- http://pages.ebay.com/securitycenter/stop_spoof_websites.html (found under "Security Center -> "Stopping spoof e-mails and Web sites")
- http://www.tcfbank.com/Security/security_email_fraud.jsp (found under "Protect Yourself From Online and Email Fraud")
- http://www.paypal.com/cgi-bin/webscr?cmd=_security-center-outside (found under "Security Center.")
- Contact the sending individual or unit through other means to confirm the authenticity of the e-mail:
- Find the e-mail address of the unit from a webpage, and type it in to your e-mail client. Ask about the e-mail/site.
- Call the unit, and ask about the e-mail/text message/website.
- If you determine that a website is legitimate, make sure it encrypts your data by using SSL. When SSL is in use, a lock icon will appear somewhere on your browser. However, even SSL can be spoofed, by using incorrect certificates. If you get a dialog box asking to install a certificate, confirm that the certificate is signed by a trusted source, such as Thawte or Verisign. If it is not, or if it is self-signed, contact the site owner through other means, like a phone call.
How do I report Phishing scams?
Please report phishing scams to the US-CERT. The US-CERT is collecting phishing e-mail messages and Web site locations so that they can help people avoid becoming victims of phishing scams.
If you see a phishing scam that specifically targets the University of Minnesota, please contact University Information Security at firstname.lastname@example.org. Please don't report phishing attacks aimed at your bank or E-Bay (etc.) to email@example.com, report them to the US-CERT. See the paragraph above.
What to do if you have fallen victim to a Phishing scam
If you think you have fallen victim to a phishing scam, there is excellent advice on what to do at the Anti-Phishing Working Group Web site.
Resources & Links:
- Example of Phishing Scams Targeted at UMN
- How Not to Get Hooked by Phishing - FTC
- Phishing Attacks Targeted at the University
- Anti-Phishing Working Group
- Phishing IQ Test
- How Text Messaging Scams Work - ComputerWorld