Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.
We would like to remind you of some simple steps to prevent becoming a victim of ‘phishing’ attempts.
- DO NOT reply to email with any personal information or passwords. If you have reason to believe that the request is real, call the institution or company directly.
- DO NOT click a link in an email message. If you have reason to believe the request is real, type the web address for the company or institution directly into your web browser.
- DO NOT use the same password for your AU account, bank, Facebook, etc. In the event you do fall victim to a phishing attempt the thieves will try the compromised password in as many places they can.
- DO change ALL of your passwords if you suspect any account you have access to may be compromised, whether it is your AU account, Facebook, bank, etc.
- DO be equally cautious when reading email on your phone. It may be easier to miss telltale signs of phishing attempts when reading the email on a smaller screen.
There are often signs that can tip you off that a message may not be what it appears. The hints below can help you avoid "taking the bait."
- Urgent Language - Phishing attempts often use language meant to alarm. They contain threats, urging you to take immediate action. “You MUST click on the link below or your account will be canceled.”
- The Greeting - If the message doesn't specifically address you by name, be wary. Fake messages use general greetings like “Dear eBay Member” or “Attention Citibank Customer” or no greeting at all.
- URLs Don’t Match - Place your mouse over the link in the e-mail message. If the URL displayed in the window of your browser is not exactly the same as the text of the link provided in the message, run. It’s probably a fake. Sometimes the URLs do match and the URL is still a fake. Before you click, look for other clues in the message like the use of a secure connection (SSL – https://).
- Avoid the Obvious- “Official” messages that contain misspellings, poor grammar and/or punctuation errors are dead-giveaways – assume those are fake. And, of course, if you don’t have a Wachovia credit card, for example, don’t respond to a request for information for card holders!
- Request for Personal Information - If an e-mail message asks you to provide your user name, password, or bank account information by completing a form or clicking on a link within an e-mail message, don’t do it. Legitimate companies will never ask you to provide that kind of information in an e-mail message. Most legitimate messages will offer you an alternate way to respond like a phone number.
OIT and other legitimate agencies will never ask you to provide personal information like user name or password via an e-mail message. If you receive such request, do not respond. Instead, report it! Forward that message as an attachment to email@example.com. Reporting these messages will help OIT block it's spread at the university firewall level. Once you've forwarded the message to OIT you should delete it from your inbox. If you receive an e-mail message that appears to be suspicious, trust your instincts and do not respond.
While some legitimate messages may contain a link, it is best to err on the side of caution. Instead, go directly to the company's website or contact them by phone to see if you really do need to take any action. Most legitimate messages will offer you an alternate way to respond like a phone number. You can always request confirmation of any message appearing to be from OIT by contacting the OIT HelpDesk at (334) 844-4944 or firstname.lastname@example.org.
In general, you can protect yourself by following these simple guidelines:
- Use antivirus software on your computer. AU students and employees can download it free at http://www.auburn.edu/download.
- Keep your computer's antivirus, spyware, browser, and Windows security patches up to date.
- Use a browser that has a phishing filter.
- Monitor your credit card, banking and personal accounts regularly and investigate unauthorized activity.
If you use Internet Explorer as an internet browser you should enable the Phishing Filter. This feature enables a portion of the web browser to change colors to signify that the page you're on is a known phishing site. Read more about it here: http://www.microsoft.com/protect/products/yourself/phishingfilter.mspx
For avoidance tips, more info and examples try these sites:
You can report these phishing scam attempts to the company that's being spoofed.
Last Updated: Nov. 26, 2011