Phishing

Phishing

Phishing is an attempt to acquire personal information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication.

Communications purporting to be from "Auburn University," popular social websites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by email spoofing and often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.

Don't become a victim of phishing attempts:

  • DO NOT reply to email with any personal information or passwords. If you have reason to believe that the request is real, call the institution or company directly.
  • DO NOT click a link in an unsolicited email message. If you have reason to believe the request is real, type the web address for the company or institution directly into your web browser.
  • DO NOT use the same password for your University account, bank, Facebook, etc. In the event you do fall victim to a phishing attempt the thieves will try the compromised password in as many places as they can.
  • DO change ALL of your passwords if you suspect any account you have access to may be compromised.
  • DO be equally cautious when reading email on your phone. It may be easier to miss telltale signs of phishing attempts when reading the email on a smaller screen.

Auburn University will NEVER ask for your account information (username/password), or other personal information, via email.

Note: Auburn University cannot be held responsible for users that fall for phishing attempts delivered through the University email system. The Office of Information Technology and Risk Management and Safety encourage you to review this information, understand its importance and become vigilant of phishing attempts.

Alarming statistics

  • 156 Million phishing emails are sent globally EVERY DAY
  • 16 Million of those emails make it through email filters
  • 8 Million of those emails are opened
  • 800,000 links in those emails are clicked
  • 80,000 people fall for a scam and voluntarily give their personal information EVERY DAY
  • The Microsoft Computing Safer Index Report (Feb 2014) estimated the world-wide impact of phishing scams is ~$5 Billion

Warning signs

There are often signs that can tip you off that a message may not be what it appears.

  • Urgent Language - Phishing attempts often use language meant to alarm. They contain threats, urging you to take immediate action.  “You MUST click on the link below or your account will be canceled.”
  • The Greeting - If the message doesn't specifically address you by name, be wary. Fake messages use general greetings like “Dear eBay Member” or “Attention Citibank Customer” or no greeting at all.
  • URLs Don’t Match - Place your mouse pointer over the link in the email message. If the URL displayed in the window of your browser is not exactly the same as the text of the link provided in the message, DON'T CLICK THE LINK.  It’s probably a fake.   Sometimes the URLs do match and the URL is still a fake.  Before you click, look for other clues in the message like the use of a secure connection (SSL – https://).
  • Avoid the Obvious- “Official” messages that contain misspellings, poor grammar and/or punctuation errors are dead-giveaways – assume those are fake.  And, of course, if you don’t have a Wells Fargo credit card, for example, don’t respond to a request for information for card holders!
  • Request for Personal Information - If an email message asks you to provide your username, password, or bank account information by completing a form or clicking on a link within an email message, don’t do it.   Legitimate companies will never ask you to provide that kind of information in an email message.  Most legitimate messages will offer you an alternate way to respond like a phone number.

Phishing examples

Spear phishing Auburn University Libraries users from April 9, 2014

Spear phishing Verizon Wireless customers from March 28, 2014

Spear phishing example from March 4, 2014

Phishing example from February 5, 2014:

From: Auburn University [mailto:mwagone@purdue.edu]
Sent: Wednesday, February 05, 2014 8:27  AM
Subject:  Letter From Auburn University !!!
   

You have 1 new Security Message Reference for your account!
Re-Login to confirm your account status [Click here >]
This message should only by those who can read it addressed and its content is not intended for use by any other person.

Copyright © 2014 Auburn University

---------------------------------------------------------------------------------------------

Here are the signs you should have picked up on:

  • Even though the "From" address can be spoofed, this one is obviously not from Auburn University.
  • Notice the urgent language: "1 new Security Message."
  • Request for personal information: "confirm your account status."
  • URLs Don't Match: The actual link was removed from this example, but the "Click here" link is misleading.
  • Bad grammar - a tell-tale sign of phishing: "should only by those who can read it addressed..."

If you have or may have fallen for a phishing scam

  1. Immediately change the password to the online account the phishing email was pretending to be from and to any other accounts that used the same login information.
  2. Contact the OIT HelpDesk at (334) 844-4944 or helpdesk@auburn.edu.
  3. Run a virus scan of your system using your anti-virus software.
  4. If you believe you may be have the victim of identity theft, visit: Federal Commission for Identity Theft
  5. Forward the phishing email "as an attachment" to abuse@auburn.edu and then DELETE the message from your Inbox.
  6. Regularly check your banking and credit card accounts for any unauthorized transactions that may have been initiated by the phishers.

Report phishing

To report a possible phishing attempt to OIT, forward the email "as an attachment" to abuse@auburn.edu.

If you become aware of a phishing scam, you may also consider filing a complaint with the FBI on the Internet Fraud Complaint Center of the FBI website or forwarding the email to the Federal Trade Commission and the company being spoofed

Send details to the Anti-Phishing Working Group, which updates a database of common scams to which you can refer: http://www.antiphishing.org/report-phishing.

Links and references

For avoidance tips, more info and examples try these sites:

Last Updated: April 9, 2014