Phishing and Vishing Cautions
By Jody Record, Campus Journal Editor
February 11, 2009
Hackers are clever. And persistent. Almost weekly, emails show up in UNH mailboxes across campus, advising users to confirm their identity and password or risk losing their accounts permanently.
The hackers use believable language: “This message is from unh.edu messaging center.” And create urgency: “Warning!!! Any account owner that refuses to update his or her account within seven days will lose their account.”
And the practice—known as phishing--isn’t confined to UNH; solicitations of the sort are done via email and on the telephone all the time. But the fakes are easy to spot and here’s why:
“No legitimate group or organization is going to ask someone for their password,” says Petr Brym, director of information technology security for UNH’s Computing and Information Services. “They’re not going to ask for personal information such as your birthday or social security number. If they do, it’s not legitimate.”
But sometimes the hackers are really clever. Like those who call about credit card security breaches such as the one announced last month by Heartland Payment Systems, involving more than 100 million cards.
In those situations, Brym says, the scam artists tells the credit card holders their cards are in danger and ask for their card number and other private information. They often mention the card holder’s bank, making the call appear even more legitimate.
It’s not. Like the emails, Brym cautions, vishing (phising done over the telephone) is a scam.
Here’s another way it’s done: the callers say they’re from a help desk and that there is a problem with the user’s account and they need the password to fix it. Again: unsolicited “help” asking for personal info? Red flag.
“We want people to recognize any kind of danger,” Brym says. “If someone is asking for your password, they are bad. If they’re asking for your date of birth, your social security number, they’re bad. Again, no legitimate company would ever do that.”
If someone thinks an email or phone call might really be on the up-and-up, they still shouldn’t provide any information until they have had the chance to check. Don’t ask the caller for a phone number; look it up or go to the official Web site, Brym says. Then, call the bank or lender directly and ask if they are making these calls.
Another scam to be aware of but ignore? An email saying the user’s computer is infected and they need to click on a link and enter a credit card number to fix the problem.
“Anything that’s unsolicited is a warning sign,” Brym says, adding that three percent of the population responds to bogus emails. “That’s three out of every 100 people giving away their password. The damage may not become obvious for weeks, maybe months.”
It’s important to note that while Computing and Information Services does intercept and block many of these fake emails, some still get through. That’s because hackers are constantly changing their practices, Brym says.
“UNH does stop the majority of unwanted emails. What people see coming through is the residue,” Brym says. “We don’t want to set the anti-spam filter settings so high it stops all email traffic.”
Call CIS at 2-4242 to verify the validity of a suspect email.