myU OneStop


What's Inside

Resources

Spear phishing attack at the University

Date: February 6, 2008
To: University students, staff, and faculty
From: Steve Cawley, Vice President and Chief Information Officer
Subject: Spear phishing attack at the University
You already know not to open e-mail claiming to be from eBay or PayPal,
but what if the e-mail is sent from someone you know or an organization
you are a member of and is addressed to you by name?
It's unfortunate, but there is a nasty new form of an e-mail scam called
"spear phishing." In a spear phishing scam, the message can seem genuine
because it appears to come from a legitimate source—like your employer
or university. Spear phishing attacks can take many different forms, but
the one thing they have in common is that they ask for sensitive
information such as passwords, birth dates, social security numbers,
etc. The most important thing to know is that you should never share
personal information over e-mail.
Over the past week there have been reports of spear phishing attacks at
higher education institutions, including the University of Minnesota.
Last week, a few U of M recipients replied to spear phishing attacks and
shared personal information with attackers. One of the recent spear
phishing e-mails that has targeted U of M says something like:
"VERIFY YOUR UMN (OR EMAIL) ACCOUNT NOW." The e-mail appears to be sent
from a umn.edu address, and the recipient is asked to verify their
e-mail address and e-mail password.
The University will never ask you for your password in e-mail.
If you get an e-mail that asks for this or other sensitive information,
do not respond to it. Instead, contact the person via phone or other
method to request more information about why they think they need your
password. Don't share passwords, even with your supervisor. Any request
for your password should set off alarm bells!
The main method to detect spear phishing is common sense. Ask yourself:
“should this person be asking for this information? Would it be harmful
if this information fell into the wrong hands?” Please do not click on
any links in any such suspicious e-mail, as they can lead to malicious
sites. Simply delete the e-mail or report it as spam by following the
link for "report as spam" in the central University webmail.
If you think you may have fallen for a phishing scheme and have shared
your University password(s) or other personal information, please
contact 1-help at 612-301-4357.
If you would like more information about how to identify phishing
schemes and what to do when you are targeted by them, the U of M Safe
Computing website has good information and tips:
http://safecomputing.umn.edu/safepractices/phishing.html