- Secure a University Computer
- Secure a Student Personal Computer
- Secure a Home Personal Computer
- Security Tools & Downloads
- Digital Copyright
- Safe Computing Topics
We have all heard a great deal about identity theft. Identity thieves and other criminals often use "phishing" scams, one of the fastest growing internet crimes, to steal personal information from a vast number of people. Once the thieves have your personal, sensitive or financial data, they may:
Phishing scams use various means:
These are designed to fool recipients into divulging personal financial data such as credit card numbers, debit account number, bank account number, account usernames and passwords, social security number, [and other sensitive information]. By hijacking the trusted brands of well-known banks, online retailers, and credit card companies, phishers are able to convince up to 5% of recipients to respond to them," according to the Anti-Phishing Working Group. Phishing scams have also targeted Universities, for example by spoofing pages from a Bursar or Registrar office.
Phishing scams are very effective because they are a form of "social engineering." Social engineering takes advantage of the interface between people and technology. People often trust information they receive via e-mail or from a website. However, it is simple for scammers to disguise (aka spoof) the origin of their e-mail or the location of their websites. These are done through spoofed e-mail, spoofed text messages, URL redirection, and browser hijacks, such as injection attacks.
Everyone is potentially a target for phishing scams.
Phishing web sites often closely resemble legitimate websites, even to the point of using the graphics and links straight off of the legitimate website. While phishing tricks are constantly evolving, one common trick is to have a login screen in a pop-up window, which allows them to copy the legitimate site exactly.
E-mail or text messages from phishers typically include upsetting or exciting (but false) statements in their e-mails/text to get people to react immediately. They also often ask for information such as usernames, passwords, credit card numbers, social security numbers, and other sensitive information. Phisher e-mails /text messages are typically NOT personalized, while valid messages from your bank or e-commerce company generally are.
If you receive an e-mail/text message you suspect is a phishing scheme, confirm through other means that the e-mail/text message or the website/phone number it directs you to, is legitimate. This may mean that you need to contact a department within the University, or the Customer Service division of a bank.
For central University functions such as registration, bursar, or admissions, the familiar U of M login page should appear for any real U of M pages that ask for personal information. If in doubt, remember that most functions are available by going to the OneStop web page. Follow the links there rather than the ones in the e-mail.
Please report phishing scams to the US-CERT. The US-CERT is collecting phishing e-mail messages and Web site locations so that they can help people avoid becoming victims of phishing scams.
If you see a phishing scam that specifically targets the University of Minnesota, please contact University Information Security at email@example.com. Please don't report phishing attacks aimed at your bank or E-Bay (etc.) to firstname.lastname@example.org, report them to the US-CERT. See the paragraph above.
If you think you have fallen victim to a phishing scam, there is excellent advice on what to do at the Anti-Phishing Working Group Web site.