What is "phishing"?
Phishing is a lot like regular fishing where someone throws out a lure and waits to see what bites. A phishing scam is attempted theft of your personal information via email, IM, chat, a web page, or even in a pop-up window. The message appears to come from a legitimate source such as a trusted business, bank, or other institution -- or even your employer or a trusted colleague or friend. The message includes an urgent request for personal information usually invoking some critical need to update an account immediately. Clicking on a link provided in the message leads to an official-looking website, but personal information provided to this site goes directly to the fraudster.
The official-looking website is a fraud designed to mimic the real thing, often down to the smallest detail including copyright notices, submenu titles and so on. It's virtually impossible for most people to tell they are the target of a phisher by looking at the site alone. Many clues can reveal the deception, however. For example, "www.paypal.com" and "www.paypa1.com" may both look like the correct address on first glance, but take a second look
What you can do about it?
OK, so these criminals have many tricks up their sleeves which attempt to maximize the chances a message recipient will respond. So what can you do to protect both yourself and the integrity of campus computer systems as well? Here are some tips:
- Do not click on links, call phone numbers, or open attached documents found in a suspicious email.
- Don't respond to emails that request sensitive information. Understand that legitimate entities will not ask you to provide or verify sensitive information in an unsolicited email, IM, or other message. Any email asking for your credit-card numbers, PIN, Social Security numbers, or other sensitive data is a scam.
- If you receive such a message, call the company or institution and ask questions. Pick up the phone and dial the number you have on record for them (call 303.273.3866 to reach CCIT cyber-security personnel), not the phone number in the message, which may itself be fraudulent.
- Don’t ever email personal, financial, or other sensitive information, even to a known correct address. Email is not a secure method to transmit personal information. Though breaches are fairly rare, email can be intercepted by unscrupulous third parties.
- Even if you believe a message is valid, don’t click on a link you did not request. Go the company or institution’s web site by typing their web address into your browser by hand.
- Conduct sensitive transactions only on a secure, encrypted web page that you trust. Follow these steps:
- First, type the web address into your browser by hand every time.
- Second, check to make sure the web site is the one you want. For example, are you actually at "www.paypal.com" or are you at "www.paypa1.com"?
- Third, check to make sure the page is encrypted; look for a closed padlock in the status bar, and see that the URL starts with “https://” instead of just “http://”. But beware, fraudsters can forge all of these: the https:// prefix, a legitimate address, and even the padlock icon you normally see in the status line on a secure site. To check for sure, double click the padlock to display the security certificate for the web site. If the certificate displayed does not match the address of the site, do not continue.
- Read your account statements thoroughly as soon as they arrive or login to your accounts online to make sure that all transactions shown are ones that you actually made. Report discrepancies to your bank or card issuer right away.
- And as always, use good antivirus software and a good personal firewall. Ensure all of your software is kept up to date and all security patches are applied.
What should you do if you're the victim of identity theft?
Go to http://www.privacyrights.org/fs/fs17a.htm for instructions on how to regain your financial health and who to contact. Act quickly and assertively to minimize damage.
To learn more, follow these links for information on phishing and other scams:
- The US Securities and Exchange Commission warns about phishing: http://www.sec.gov/investor/pubs/phishing.htm
- The US Justice Department phishing report: http://www.apwg.org/reports/DOJ_Special_Report_On_Phishing_Mar04.pdf
- US Federal Trade Commission phishing warning: http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt127.shtm