Phishing Season— Again
By Jody Record, Campus Journal Editor
April 20, 2011
Here’s something to remember that may help you avoid making a costly mistake: UNH Information Technology (UNH IT) will never ask for your personal information via e-mail or on the phone. Not your social security number, password, university ID, date of birth--nothing. Ever. So, if you get requests for such data, it’s someone doing a little spear phishing.
Spear phishing differs from regular phishing—attempts by hackers to get you to reveal personal information—in that it appears to come from not only a legitimate source but a trusted one. Spear phishing at UNH often comes in the form of e-mails that look they are from a UNH department.
Research has shown that 60 percent of the people receiving what appear to be reliable but unsolicited e-mails respond to them. That can lead to instant computer infections while letting the attacker know they have, indeed, reached a real person. That can result in stolen information, money and resources.
“UNH IT will never ask you for your information but nobody should unless you are expecting it,” says Petr Brym, director of IT Security. “If it’s not something you are expecting, it doesn’t matter whether it’s UNH or your brother or your sister—don’t respond. If you can’t independently verify its validity, don’t respond.”
That means ignoring e-mail addresses or phone numbers provided in the bogus e-mails as reliable contact information. Go to an outside source—a known, legitimate outside source-- to get a phone number, and make the call to see if a request is valid.
One of the latest phishing attempts being circulated is an e-mail that has “UNH Security Alert” in the subject line, and indicates it’s from “ UNH WEB ADMIN.” But take a look at the e-mail address that follows: [firstname.lastname@example.org]. It says nothing about UNH, or UNH IT. A legitimate correspondence from them would have unh.edu in the address line. So, there’s your first clue.
Next, it says a virus has been detected in your UNH e-mail account and that it has to be protected by new anti-virus software. Then it asks for your info: e-mail address, username, and password. There’s your second clue because, as noted above, UNH IT won’t ask you for those things.
Responding to such e-mails can have dire consequences. According to a recent warning sent from UNH IT, a bogus e-mail forwarded by a UNH employee led to another employee responding and losing thousands of dollars. Such actions also could compromise university information and passwords, possibly leading to thousands or millions of dollars worth of damage.
The rule to live by, then, is if you get an e-mail and don’t know who sent it, don’t respond. Don’t even open it.
UNH IT offers the following advice to avoid getting caught by a spear phisher:
- Never click on links, open attachments or call phone numbers in unsolicited e-mail messages. They may cause damage to your computer, UNH systems, or result in information being stolen.
- Never give out personal or institutional information in response to a phone call or e-mail, including SSN, IDs, passwords, credit cards or other secure information.
- Use the number you have for the organization, such as the phone number on the back of your credit card, if you need to verify e-mails or a phone call. Do not use numbers provided in e-mails or phone messages. (At UNH, you can call the UNH IT Help Desk to verify e-mails from UNH. The Help Desk number is published in the official UNH phone directory.)
- If you believe you or a co-worker has inadvertently responded to a phishing attempt, immediately notify your supervisor and the UNH IT Help Desk.
- Monitor the Important Security Updates at the UNH IT Security web site. Pay particular attention to the “Phishing and Other E-mail Scans” notices, and visit often to learn about the most recent threat.
- UNH IT Security is available to conduct a training session about protecting information. Contact them to schedule a training session, or see the Information Security Training PowerPoint in the “UNH Faculty and Staff” organization in Blackboard in the “IT Policy & Security” section.
For more information visit http://unh.edu/helpdesk/phishing/unh-phishing.html