Phished again!

Author: Carol C. Bradley

Despite warnings, people still fall for email scams

The email said, “Your inbox is full,” and warned that your account would be frozen if you didn’t take steps.

When you clicked the link, it took you to a website that asked for your NetID and password, and you typed them in.

Big mistake.

You’ve been “phished.”

The result? Tens of thousands of spam emails go out under your name and email address.

You don’t find out until your inbox fills up with bounced emails and nasty messages from people wondering why you’re sending them Viagra ads. And the University blocks your account—for real—at least until you change your password.

“I have heard people joke about how lame many phishing scams are, but people at Notre Dame still fall for the scams,” says Ron Kraemer, vice president for information technologies and chief information officer. “Falling victim to these scams can result in debilitating computer infections, identity theft and—in some cases—having our entire University email system blacklisted from online services."

Phishing scams are fraudulent emails sent by criminals in hopes of gaining access to your user name, password, bank account numbers or credit card information to steal your identity. Many of the scams originate in foreign countries—Russia, Romania, Nigeria and South Korea.

Why do they want access to your email account?

Spammers are only one link in a “tiered economy” of crime, says David Seidl, OIT’s director of information security. There are spammers looking to send more spam at the bottom of the heap, followed by credit card number thieves, those who handle merchandise bought with stolen credit card numbers, those who perpetrate identity theft and the criminals who coordinate the whole operation. It’s sort of like the Mafia, Seidl says, or the old days of Prohibition with the bootleggers at the bottom and Al Capone at the top.

When you click on a link in a scam email, you’re redirected to a fake (“spoof”) website—often nearly identical to the real website for PayPal, eBay, your bank or credit card company—where you’re asked to type in sensitive information.

Here’s all you need to know to protect yourself: The University will NEVER request your NetID and password in an email. Neither will the Notre Dame Federal Credit Union, your bank, PayPal or the Internal Revenue Service.

The scams work because they scare people, Seidl says.

The most recent email scam to hit campus—the one telling you your inbox is full—is very typical. “When people clicked on the link, it took them to a website that wasn’t a Notre Dame site. Over a hundred people went to the site, and there were 20 compromises.”

Seidl finds out about a security breach when the University starts to get complaints from Hotmail, MSN and other third-party providers, who then block email from the nd.edu domain, typically for 72 hours.

The University also monitors for outbound spam and abusive behavior, and takes action proactively. Says Seidl, “We identified many of the compromised accounts before they were able to send large quantities of spam, and we’re taking active measures to limit the amount of email that can be sent from an account to prevent future compromises.”

But spam isn’t all there is to worry about.

Spurious websites, attachments and downloads can infect your computer with viruses or malware. A person with your NetID and password could potentially access any University service you’re authorized to use—they could change your contact information or insurance beneficiaries, or read your email to as another way to gain information for identity theft. At least one person on campus had their entire inbox deleted by a spammer.

To protect yourself, use the official, published Web address, address and telephone numbers of organizations you do business with, and contact them directly if you think and email is suspicious. Rather than click on a link, go directly to the website by typing (instead of clicking a link or cutting and pasting from an email) the site’s address into the address bar. You can also contact the OIT helpdesk at 631-8111 or forward the email to oithelp@nd.edu.

If you think you’ve been hooked by a phishing scam, report it immediately to limit potential identity theft. On campus, email breaches should be reported at secure.nd.edu/goes-wrong/report_event.shtml. For phishing FAQs and a quiz to test your email scam savvy, visit oit.nd.edu/email/phishingfaq.shtml.

The bottom line, Seidl says, is turn on your brain before opening your email. “It’s a personal responsibility to yourself, the University and the people you deal with who might be exposed.”