Overview

• Secure a University Computer
• Secure a Student Personal Computer
• Secure a Home Personal Computer
• Security Tools & Downloads
• Digital Copyright
• Safe Computing Topics

Help & Support

• Technical Support

Office of Information Technology (OIT) > Safe Computing > Safe Computing Topics > Phishing Scams

Phishing Scams

We have all heard a great deal about identity theft. Identity thieves and other criminals often use "phishing" scams, one of the fastest growing internet crimes, to steal personal information from a vast number of people. Once the thieves have your personal, sensitive or financial data, they may:

• Create financial havoc for you by
  1. opening credit lines
  2. getting loans
  3. declaring bankruptcy using your name.
• Buy "big-ticket" items like computers that they can easily sell.
• Embroil you in legal problems by giving your name to the police during an arrest.
• Sell your information to other thieves or even organized crime for further exploitation.

What is "Phishing"?

Phishing attacks use various means:

• 'spoofed' e-mails
• 'spoofed' text messages
• fraudulent websites
• pop-up windows
• telephone calls, voice messages or fax

These are designed to fool recipients into divulging personal financial data such as credit card numbers, debit account number, bank account number, account usernames and passwords, social security number, [and other sensitive information]. By hijacking the trusted brands of well-known banks, online retailers, and credit card companies, phishers are able to convince up to 5% of recipients to respond to them," according to the Anti-Phishing Working Group. Phishing scams have also targeted Universities, for example by spoofing pages from a Bursar or Registrar office.

Why are phishing scams so popular?

Phishing attacks are very effective because they are a form of "social engineering." Social engineering takes advantage of the interface between people and technology. People often trust information they receive via e-mail or from a website. However, it is simple for scammers to disguise (aka spoof) the origin of their e-mail or the location of their websites. These are done through spoofed e-mail, spoofed text messages, URL redirection, and browser hijacks, such as injection attacks.

To complicate matters, it's not uncommon for businesses or institutions to ask for private or protected information in an e-mail or on a website. Even when an institution has a policy against such queries, employees may forget and ask for it anyway.

Everyone is potentially a target for phishing attacks.

How do I spot a phishing attack?

Phishing web sites often closely resemble legitimate websites, even to the point of using the graphics and links straight off of the legitimate website. While phishing tricks are constantly evolving, one common trick is to have a login screen in a pop-up window, which allows them to copy the legitimate site exactly.

E-mail or text messages from phishers typically include upsetting or exciting (but false) statements in their e-mails/text to get people to react immediately. They also often ask for information such as usernames, passwords, credit card numbers, social security numbers, and other sensitive information. Phisher e-mails /text messages are typically NOT personalized, while valid messages from your bank or e-commerce company generally are.

What should I do if I am targeted by a phishing attack?

If you receive an e-mail/text message you suspect is a phishing scheme, confirm through other means that the e-mail/text message or the website/phone number it directs you to, is legitimate. This may mean that you need to contact a department within the University, or the Customer Service division of a bank.

For central University functions such as registration, bursar, or admissions, the familiar U of M login page should appear for any real U of M pages that ask for personal information. If in doubt, remember that most functions are available by going to the OneStop web page. Follow the links there rather than the ones in the e-mail.

Recommended steps to thwart phishing attacks:

1. Type in to your web browser the main site mentioned in the e-mail. Examples:
   • http://www.wellsfargo.com
   • http://www.ebay.com
   • http://www.tcfbank.com
   • http://www.paypal.com
   • http://www.umfcu.net
2. Check to see if the site has an announcement about phishing attacks targeting it. Examples:
   • http://www.wellsfargo.com/privacy_security/fraud_prevention/ (found under " Fraud Prevention Guide")
   • https://www.chase.com/index.jsp?pg_name=ccpmapp/privacy_security/fraud/page/fraud_examples
   • http://pages.ebay.com/securitycenter/stop_spoof_websites.html (found under "Security Center -> "Stopping spoof e-mails and Web sites")
   • http://www.tcfbank.com/Security/security_email_fraud.jsp (found under "Protect Yourself From Online and Email Fraud")
   • http://www.paypal.com/cgi-bin/webscr?cmd=_security-center-outside (found under "Security Center.")
3. Check to see if the privacy policy of the website has a policy about collecting private data.
4. Contact the sending individual or unit through other means to confirm the authenticity of the e-mail:
   • Find the e-mail address of the unit from a webpage, and type it in to your e-mail client. Ask about the e-mail/site.
   • Call the unit, and ask about the e-mail/text message/website.
5. If you determine that a website is legitimate, make sure it encrypts your data by using SSL. When SSL is in use, a lock icon will appear somewhere on your browser. However, even SSL can be spoofed, by using incorrect certificates. If you get a dialog box asking to install a certificate, confirm that the certificate is signed by a trusted source, such as Thawte or Verisign. If it is not, or if it is self-signed, contact the site owner through other means, like a phone call.

How do I report Phishing scams?

Please report phishing scams to the US-CERT. The US-CERT is collecting phishing e-mail messages and Web site locations so that they can help people avoid becoming victims of phishing scams.

If you suspect fraud, contact the Federal Trade Commission and the FBI's Internet Crime Complaint Center.

If you see a phishing attack that specifically targets the University of Minnesota, please contact OIT Security and Assurance at phishing@umn.edu. Please don't report phishing attacks aimed at your bank or E-Bay (etc.) to phishing@umn.edu, report them to the US-CERT. See the paragraph above.

What to do if you have fallen victim to a Phishing scam

If you think you have fallen victim to a phishing scam, there is excellent advice on what to do at the Anti-Phishing Working Group Web site.

Resources & Links:

• Avoid Getting Hooked by Phishers - National Consumers League's Internet Fraud Watch
• How Not to Get Hooked by Phishing - FTC
• Phishing Attacks Targeted at the University
• Anti-Phishing Working Group
• Spoofed/Forged E-mail- CERT
• Phishing IQ Test
• How Text Messaging Scams Work - ComputerWorld