University e-mail systems around the country, including the UA’s, have been hit by an e-mail “”phishing”” scam in recent weeks, prompting people to give up private information that can be used for malicious and illegal purposes.
The scam is particularly alarming to the UA because it coincides with an ongoing effort to have 70,000 NetID users change their passwords, potentially causing users to fall victim.
Protect Yourself
Here are a few tips to avoid becoming a victim of an e-mail scam, adapted from an e-mail the UA’s Information Security Office sent around campus Friday:
? Delete scam e-mail messages once you believe you see them.
? Do not respond to the sender after opening an e-mail you suspect is part of a scam.
? Do not click on any link in a suspicious e-mail.
? Consider sending the e-mail with extended headers to abuse@email.arizona.edu so future messages from the sender can be filtered.
? If you have responded to an e-mail you suspect is part of a scam, you can call the Information Security Office at 626-8232 for advice.
“”Phishing is here, it’s not going anywhere, and we’re trying our best to control it,”” said Kelley Bogart, the university’s information security coordinator.
The UA Information Security Office sent out a campuswide e-mail Friday explaining the recent proliferation of an e-mail asking the reader to reply to it and provide their NetID username and password. This information is used to access UA WebMail and academic services, including D2L and Student Link.
The e-mail appears to be coming from a legitimate university account that tells readers their accounts will be canceled if they do not respond.
In fact, e-mails like these – whose senders can come under the guises of banks or popular auction site eBay, among others – are attempts to log into personal university accounts with the intent of phishing, Bogart said.
Phishing amounts to sending “”Nigerian spam”” from actual university e-mail addresses that asks people to give money for fraudulent reasons, she said.
The university has developed anti-virus spam filters that block these e-mails as they come in, but there is only so much spam-blocking that can be done, and hackers sometimes find a way around software, she said.
If a hacker logs onto a person’s e-mail account and engages in criminal activity, it may be difficult to prove that the person the account belongs to wasn’t responsible for the criminal activity, she said.
“”People don’t understand the importance of a password – if someone logged in under your password, it can be really bad for you,”” Bogart said.
Thousands of scam e-mails flooded the network at Indiana University two weeks ago.
Nate Johnson, IU’s lead security engineer, said that once a hacker accessed a single person’s account, he or she launched approximately 10,000 spam messages from it in only four minutes, according to an April 4 article in the Chronicle of Higher Education.
If such an infiltration happened or has happened to a user of WebMail, the UA doesn’t have software or other means in place to detect it, Bogart said.
The best way to differentiate between an official university e-mail and a scam is that university e-mails usually refer to readers by name, rather than a generic title, she said.
The e-mails affecting the UA appear to be among some of the first to come from fraudulent university addresses, she said.
Scam e-mails are hardly the only threats to the university’s Internet security, Bogart said.
Visiting a questionable Web site can often lead to hackers uploading viruses onto computers. These viruses then log every keystroke made for the purpose of stealing credit card and other information, she said.
If an e-mail is sent with a link in it, never click on the link, Bogart said. Rather, copy and paste the address into another window to avoid being taken to a site that can put personal information at risk.
“”The smartest thing to do is always be suspicious of just about anything that gets e-mailed to you,”” she said.
