Avoiding Identity Theft at the U

By Benjamin Neeser

September 16, 2008

Anyone who has used a computer in the last decade knows how to spot obvious scams circulating in the cyber world: You Have Won $1 Million! Contact our director of finance immediately! Scams like this are known as "phishing" attacks. "Phishers" create these messages in order to trick people into replying with personal information, such as a Social Security number, birth date, or e-mail address. Most people are able to identify scams like this when they see them. But what if the e-mail is sent from someone you know or an organization you are a member of, such as the University of Minnesota? Welcome to a nasty new form of an e-mail scam called "spear phishing." In a spear phishing scam, the message can seem genuine because it appears to come from a legitimate source?like your employer or university. In recent months, there have been increasing numbers of customized attacks against the University of Minnesota, and some of them have been quite effective at tricking students, faculty, and staff into divulging personal information.

What can happen if you get phished Most phishing attacks at the U attempt to get Internet IDs and passwords rather than money, so it is extremely important to understand the value of an ID and password. If someone gets their hands on this private information, they can attack you by

• buying big-ticket items such as computers from U Web sites and charging them to you;
• gaining access to your banking information or redirecting your paycheck to another bank account;
• sending malicious e-mails from you that can land you in serious legal troubles;
• selling your information to other crooks.

Things may not be what they seem The first important thing to know is that you cannot simply look at an e-mail and tell where it originated. It is possible for phishers to create messages that appear to originate from "umn.edu" e-mail addresses, when in fact they do not. Furthermore, phishers can include maroon and gold U of M logos in their messages, or even provide links to entire Web pages that look official Something fishy While some phishing attacks are very difficult to spot, there are a number of features that are common to phishing attacks. You should be immediately suspicious of an e-mail that does any of the following:

• It asks for personal information such as your Internet password or Social Security number (sometimes, they may ask you to reply to an e-mail, or they may direct you to a Web site or a phone number where they will ask for personal data).
• It contains upsetting or exciting statements that express urgency. It is very common for phishers to threaten some sort of consequence, such as that "if you do not respond within 48 hours, your account will be disabled."
• It is poorly written, and it contains misspelled words or incorrect grammar.
• It is not addressed to you personally. Instead, it begins with something like "Dear Customer" or "Dear Valued Subscriber" or "Dear [your email address]."

What should I do if I suspect a phishing attack If you are not completely sure of a message's authenticity, you should never reply to it or click any links contained within it. The best thing to do is delete it. If it purports to be from the U, forward it to mailto:abuse@umn.edu, displaying full headers. If you feel the message may be legitimate, go directly to the company's Web site (by typing the real URL into your browser) or contact the company to see if you really do need to take the action described in the e-mail. Do not use any contact information or URLs from within the message; instead, find that information yourself by using Google. The Golden Rule for protecting your personal identity The most important thing to remember is to never share personal information over e-mail with anyone: not the 1-HELP technology helpline, not your department's IT support, and not even your boss. The University of Minnesota will never, under any circumstance, ask you to e-mail any form of private data, such as your Social Security number or your Internet ID and password. When the Office of Information Technology (OIT) discovers a phishing attempt, a number of actions are taken to protect the University community. Among these, known phishers' return addresses are blocked so that users cannot reply to them (if anyone happens to be fooled). Secondly, network statistics are analyzed to determine if anyone from the University has replied to the phishing attempt. If anyone has fallen victim to the scam, OIT immediately alerts the person who replied to change their password. In addition, OIT has deployed aggressive anti-phishing technology on the central mail servers used for all inbound e-mail. The software is currently detecting thousands of phishing messages daily. However, it is still up to each of us to identify phishing attacks for ourselves when they make it to our inboxes. But because it can be difficult to spot a phishing attempt from a legitimate e-mail, the best policy to keep safe is to never send personal data such as passwords over e-mail.

If you think you have fallen victim to a phishing scam, call 1-HELP on campus (612-301-4357).

For more information about phishing and other safe computing topics, visit the U of M Safe Computing Web site.