By Jody Record, Campus Journal Editor
August 18, 2010
“You have an installment payment of $7,600.00 USD with Western Union from a total of $1,500,000.00. Call or e-mail us today for your MTCN number.”
Most people who receive this sort of e-mail message recognize it as a scam. (Seriously: who gives away free money?)
But what about this one: “Your mailbox quota has exceeded the set quota/limit which is 20GB. Please click the link below to validate your mailbox and increase your quota.” Or this: “We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity.”
Think these two might be legitimate? They’re not, says UNH IT. Both are examples of phishing, an attempt to obtain personal information such as your password, date of birth, social security or bank account numbers for fraudulent use.
If you get an e-mail from someone asking for personal information, don’t give it to them. No legitimate company or organization will make such a request via e-mail, the university included.
“UNH won’t ask anyone to verify personal information via e-mail,” says IT security assistant Nino Coletti. “They won’t ask for passwords--not academic or administrative or e-mail accounts on the phone or via e-mail, ever.”
Yet some phishing attempts have become so sophisticated, it’s hard to tell they’re fake. The PayPal notices, for example, appear to be the real deal--“You credit card on file with PayPal will expire”--until you look at the URL and see that PayPal is misspelled: http://uspayapl.com-stc.dat123.
Spelling errors are a big clue; all communications from UNH go through an editor. Legitimate e-mails from banks, credit card companies, etc., likely do, too. So pay attention to misspelled words; they are often an indication that the notice is a hoax.
E-mails asking you to make a phone call (phone phishing) are usually fakes as well. If in doubt, look up the company’s telephone number yourself. Are they the same? If not, don’t make call.
Pay attention to the tone of the e-mail. Does it indicate urgency, i.e., threatening your account will be closed if you don’t act immediately? Phrases like ‘verify your account” or “warning!!” are indicators you’re dealing with a hacker.
No matter how disconcerting the notice is—i.e., an e-mail from the IRS saying your assets will be frozen if you don’t do what the message demands--remember: legitimate companies, including the IRS, do not ask for personal information in an e-mail. (This is (really) from their Web site: “The IRS does not request detailed personal information through e-mail.”)
And don’t open any attachments or links included in suspicious e-mails. Doing so could infect your computer. Get in the habit of only opening attachments if you are expecting them or you know the sender.
If you happen to find that you’ve been duped, contact the company or bank you have the account with immediately. Many companies have information on their Web sites on where to report problems.
If you receive a questionable e-mail that appears to be from UNH but you’re not sure, check it out.
“Always call the UNH IT Help Desk (2-4242) to find out if an e-mail is valid,” Coletti says. “And don’t take any action until you’ve verified it is from the university.”