Phishers continue to flood inboxes with seas of e-mail bait

In recent weeks, University of Iowa faculty and staff have opened their e-mail inboxes to find a message purportedly sent by a University of Iowa support team. The message claims that a database upgrade is under way, and in order to avoid deletion of e-mail accounts, the recipient must send his or her username, password, date of birth, and country or territory.

This is to “phishing” what a shiny lure or juicy worm is to fishing.

The e-mail from UIOWA Support is not legitimate—the Information Technology Services (ITS) department at the University will never request that a UI employee send his or her Hawk ID password via e-mail. As these messages continue to infiltrate inboxes, ITS is seeking to keep fellow UI employees off the hook of identity thieves by offering advice on ways to avoid phishing scams.

“This is organized crime—it’s a real racket,” says Jane Drews, information technology security officer in the University IT Security Office. “These attackers clearly make money from it, or they wouldn’t do it. And it keeps escalating.”

Typically, phishers impersonate a company, a university organization, or even a federal government entity such as the Internal Revenue Service and prey on two primary emotions: greed and fear. In the first instance, there might be the promise of money; in the second, there might be a threat of closing one’s financial accounts unless immediate action is taken.

Once they have sensitive information—bank account numbers, passwords, social security numbers, credit card numbers, even mothers’ maiden names—phishers can create accounts in a victim’s name, destroy the victim’s credit, or deny the victim access to financial or e-mail accounts.

Drews says that phishers also seek e-mail passwords in order to send spam from the victim’s account. “That’s a new twist,” she says.

“For the most part, phishing consists of social engineering ploys,” says Warren Staal, security support specialist in the IT Security Office. “The phishers look at ways to coerce people into giving out sensitive, personal information. They play on people’s fears.”

But fear not—ITS provides advice on avoiding these scams and answers questions regarding what action to take if you have fallen victim to these ploys at http://helpdesk.its.uiowa.edu/security/phishing.htm.

Rule No. 1: always be suspicious of e-mail asking for sensitive personal information.

“Your financial institutions should already have the personal information sought by these e-mail messages,” Staal says. “Any such request should trigger alarm bells—always err on the side of caution.”

Most phishing scams come from foreign countries, which often results in another warning sign: misspelled words and grammatical errors often riddle phishing scams.

Another point of emphasis: the text/URL displayed in links might not match up with the link’s actual destination. Case in point: the following link—http://www.uiowa.edu—looks like a legitimate URL for the University’s home page. But if it is clicked, the reader will be taken somewhere else (the ITS help desk home page, in this case). This example is a harmless redirect, but scammers can use display text to send you to a phony site that appears to be legitimate. These sites use stolen corporate logos to enhance the appearance of authenticity.

If there is uncertainty about a link received via e-mail, “hover” the cursor over it. If the link text in the e-mail doesn't match the link address (which often appears in a small shaded box near your cursor, or in the bar along the bottom of your e-mail browser), it should not be clicked.

In fact, Drews recommends not clicking any links in these e-mail messages. “Even if you don’t supply personal information, clicking on these links can lead to trouble,” she says. “One click often installs malicious software that can capture your keystrokes and send them to the phisher, which can help them access your personal accounts.”

UI employees who fall victim to these scams should contact the business they thought they were communicating with to take action. “If the employee provided sensitive information regarding a bank account, contact that bank, and get the account or password changed,” Drews says. “If an e-mail password was shared, change that password as soon as possible.”

If Hawk ID information has been compromised, a visit to the Hawk ID web site (http://hawkid.uiowa.edu) is recommended.

Scanning for social security numbers

A common prize for phishers is a social security number (SSN). For a number of years, the University has been working to reduce or eliminate uses of SSNs whenever possible—for instance, medical spending account reimbursement forms allow a UI employee to enter his or her employee ID number in place of the SSN.

This spring, the University has purchased software to facilitate the removal of SSNs from all UI computer systems. The program, called Identity Finder, will scan computer files for social security numbers, much like an antivirus program looks for known viruses. The scan will generate a report of files that might contain SSNs. Faculty and staff are being asked to work with their IT support representatives to complete these scans and take appropriate action to remove SSNs from files or delete the files from their hard drive (and server, if necessary).

“Newer grade books use University ID numbers in place of the social security number, but older grade books often contain social security numbers,” Drews says. “Files containing social security numbers should be edited or deleted. In cases where the files cannot be changed or erased, they should be archived on external media, such as a CD-ROM.”

Have a question about phishing, computer security, or anything else technology-related? Help is just a call away. “Calling the ITS help desk (319-384-4357) is a good thing to do in any case,” Drews says.

by Christopher Clair