Phishing Scams - Email Requests for Personal Information
(From an email message sent on 11/03/10)
Phishing is a trick that scammers use to get you to give them your personal information. If you receive an e-mail that you suspect may be fraudulently trying to obtain your personal information, do NOT click any links in it. Report the phishing e-mail by forwarding the suspect message to your unit's security unit liaison. (For a list of security unit liaisons, see https://www.safecomputing.umich.edu/download/Security%20UL%20List.pdf).
DANGER – PHISH HOOKS
A phishing attack is often in an e-mail message or a text message that appears to come from a legitimate organization. It claims your personal information is needed to fix a problem related to your account. The phishing goal is to obtain account numbers, passwords, or other private identifying information, which are then used to impersonate you. If the scammers steal your information, they can make charges on your credit card, withdraw money from your bank account, order from online stores, open new accounts under your I.D., and more.
DON'T BELIEVE PHISH STORIES
Phishing attacks may be easily recognized as fakes, but they may also appear very legitimate. A phishing attack may:
- Ask you to provide personal information that can be used to access your private accounts. Reputable organizations do not ask for passwords or other personal information.
- Convey a sense of urgency. ("Your account will be closed if you don't..." etc.)
- Contain strange words, misspelled words, or unusual or awkward phrasing to try to avoid spam-filters designed to stop fraudulent e-mails.
- Present a link that opens a different site than the one listed in the link. For example, a link in a phishing e-mail might read www.umich.edu, but if you hover over it with your mouse (be sure not to click it), the actual link displayed in the lower left corner of the e-mail window is to a different site.
DON'T TAKE THE BAIT – AVOID GETTING CAUGHT BY THE PHISH
- Legitimate organizations will never send an e-mail asking for your confidential information via e-mail.
- If you are not absolutely sure that the sender of an e-mail is the person or organization listed in the From field, do not respond. When in doubt, phone them. If they want your information, they will take it over the phone.
- Always check the authenticity of a website before providing any personal information.
FIGHTING FOR A PHISH-FREE WORLD
- Monitor your financial statements for unauthorized purchases or withdrawals. If you suspect unauthorized activity, contact the organization's security department and the police.
- If you suspect that your U-M accounts have been compromised by a phishing attack, contact the Information Technology User Advocate (email@example.com).
- To keep up on U-M's anti-phishing efforts, read the information at: http://safecomputing.umich.edu/main/phishing_alerts/
Tips to Help You Not Get Hooked
These tips are from a Federal Trade Commission Consumer Alert (see http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt127.shtm ):
- If you get an email or pop-up message that asks for personal or financial information, do not reply.
- Area codes can mislead.
- Use anti-virus and anti-spyware software, as well as a firewall, and update them all regularly.
- Don't email personal or financial information.
- Review credit card and bank account statements as soon as you receive them.
- Be cautious about opening any attachment or downloading any files from emails you receive.
- Forward spam that is phishing for information to firstname.lastname@example.org and to the company, bank, or organization impersonated in the phishing email.
- If you believe you've been scammed, file your complaint at ftc.gov and then visit the FTC's identify Theft website at http://www.ftc.gov/bcp/edu/microsites/idtheft/.
Identifying a Phishing Scam
The following list comes from Microsoft (see http://www.microsoft.com/protect/yourself/phishing/identify.mspx ):
Many phishing scams use these phrases:
- "Verify your account."
- "If you don't respond within 48 hours, your account will be closed."
- "Dear valued customer."
- "Click the link below to gain access to your account."