We have all heard a great deal about identity theft this past year. Identity thieves and other criminals often use "phishing" scams, one of the fastest growing internet crimes, to steal personal information from a vast number of people.
Once the thieves have your personal, sensitive or financial data, they may:
Create financial havoc for you by:
- opening credit lines,
- getting loans, or
- declaring bankruptcy using your name.
- Buy "big-ticket" items like computers that they can easily sell.
- Embroil you in legal problems by giving your name to the police during an arrest.
Sell your information to other thieves or even organized crime for further exploitation.
What is "phishing"?
Phishing attacks use 'spoofed' e-mails and fraudulent websites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, social security numbers, [and other sensitive information]. By hijacking the trusted brands of well-known banks, online retailers, and credit card companies, phishers are able to convince up to five percent of recipients to respond to them," according to the Anti-Phishing Working Group. Phishing scams have also targeted universities, for example by spoofing pages from a Bursar or Registrar office.
Why are phishing scams so popular?
Phishing attacks are very effective because they are a form of "social engineering". Social engineering takes advantage of the interface between people and technology. People often trust information they receive via e-mail or from a website. However, it is simple for scammers to disguise (a.k.a. spoof) the origin of their e-mail or the location of their websites. These are done through spoofed e-mail, URL redirection, and browser hijacks, such as injection attacks.
To complicate matters, it's not uncommon for businesses or institutions to ask for private or protected information in an e-mail or on a website. Even when an institution has a policy against such queries, employees may forget and ask for it anyway.
Everyone is potentially a target for phishing attacks. Recently, there have been localized attacks against such institutions as Citibank, University of Minnesota Federal Credit Union and Wells Fargo. There have also been customized attacks against universities, such as Penn State.
How do I spot a phishing attack?
Phishing websites often closely resemble legitimate websites, even to the point of using the graphics and links straight off of the legitimate website. While phishing tricks are constantly evolving, one common trick is to have a login screen in a pop-up window, which allows them to copy the legitimate site exactly.
E-mail from phishers typically include upsetting or exciting (but false) statements in their e-mails to get people to react immediately. They also often ask for information such as usernames, passwords, credit card numbers, social security numbers, and other sensitive information. Phisher e-mails are typically not personalized, while valid messages from your bank or e-commerce company generally are.
For examples of phishing attacks, visit http://phishtank.internetdefence.net/.
What should I do if I am targeted by a phishing attack?
If you receive an e-mail you suspect is a phishing scheme, confirm it through other means that the e-mail or the website it directs you to is legitimate. This may mean that you need to contact a department within the University, or the customer service division of a bank.
For central University functions such as registration, e-mail, and payment, you should visit the MyPace Portal. If in doubt, remember that most functions are available by going to the MyPace Portal web page by typing http://portal.pace.edu directly into your web browser. Follow the links on this website rather than the ones in the e-mail.
Keep in mind that no one Pace University will ever ask you for your password for any reason. Your password is yours, keep it private.
Recommended steps to thwart phishing attacks:
- Type in to your web browser the main site mentioned in the e-mail. Examples:
Check to see if the site has an announcement about phishing attacks targeting it. Examples:
- http://www.wellsfargo.com/privacy_security/fraud_prevention/ (found under "Fraud Prevention Guide")
- http://pages.ebay.com/securitycenter/stop_spoof_websites.html (found under "Security Center -> "Stopping spoof e-mails and Web sites")
- http://www.tcfbank.com/Security/security_email_fraud.jsp (found under "Protect Yourself From Online and Email Fraud")
- http://www.paypal.com/cgi-bin/webscr?cmd=_security-center-outside (found under "Security Center")
Contact the sending individual or unit through other means to confirm the authenticity of the e-mail:
- Find the e-mail address of the unit from a webpage, and type it in to your e-mail client. Ask about the e-mail/site.
- Call the unit, and ask about the e-mail/site.
- If you determine that a website is legitimate, make sure it encrypts your data by using SSL. When SSL is in use, a lock icon will appear somewhere on your browser. However, even SSL can be spoofed, by using incorrect certificates. If you get a dialog box asking to install a certificate, confirm that the certificate is signed by a trusted source, such as Thawte or Verisign. If it is not, or if it is self-signed, contact the site owner through other means, like a phone call.
How do I report Phishing scams?
Report phishing scams to the US-CERT, at www.us-cert.gov/nav/report_phishing.html. The US-CERT is collecting phishing e-mail messages and website locations so that they can help people avoid becoming victims of phishing scams.
If you see a phishing attack that specifically targets the Pace University Community, please contact the IT Security Office at ITSecurity@pace.edu. Please don't report phishing attacks aimed at your bank or eBay (etc.) to ITSecurity@pace.edu, report them to the US-CERT. See the paragraph above.
What to do if you have fallen victim to a Phishing scam?
If you think you have fallen victim to a phishing scam, there is excellent advice on what to do at http://www.antiphishing.org/consumer_recs2.html.
Resources & Links
- Avoid Getting Hooked by Phishers - National Consumers League's Internet Fraud Watch
- How Not to Get Hooked by Phishing - FTC
- OUCH - SANS Monthly Report on Identity Theft & Attacks on Computer Users
- Recent Phishing Attacks at the University
- Anti-Phishing Working Group
- Spoofed/Forged E-mail- CERT
- E-mail Spoofing
- URL Redirection
- Browser Hijacks
- Phishing IQ Test
- Internet Defence Phishtank