- Quick Facts
- How not to get hooked by phishing scams
- I've been phished! What should I do?
- How to report a phishing scam
- Other types of phishing
Phishing is a scam where Internet fraudsters send spam or pop-up messages to lure unsuspecting victims into providing passphrases, personal, and/or financial information. To avoid getting hooked:
- Realize that no one at IU should ask for your university passphrase.
- Don't reply to email or pop-up messages that ask for passphrases, personal, or financial information, and do NOT click on links in such messages. Don't cut and paste a link from the message into your Web browser — phishers can make links look like they go one place, but that actually send you to a different site.
- Some scammers send an email that appears to be from a legitimate business and ask you to call a phone number to update your account or access a "refund." Because they use Voice over Internet Protocol technology, the area code you call does not reflect where the scammers really are. If you need to reach an organization you do business with, call the number on your financial statements or on the back of your credit card.
- Use anti-virus and anti-spyware software, as well as a firewall, and update them all regularly.
- Don't email passphrases, personal, or financial information.
- Review credit card and bank account statements as soon as you receive them to check for unauthorized charges.
- Be cautious about opening any attachment or downloading any files from emails you receive, regardless of who sent them.
- Forward phishing emails to firstname.lastname@example.org – and to the company, bank, or organization impersonated in the phishing email. You also may report phishing email to email@example.com. The Anti-Phishing Working Group, a consortium of ISPs, security vendors, financial institutions and law enforcement agencies, uses these reports to fight phishing.
- If you've been scammed, visit the Federal Trade Commission's Identity Theft website at ftc.gov/idtheft.
For general information about phishing, see: What are phishing scams and how can I avoid them?
"We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity."
"During our regular verification of accounts, we couldn't verify your information. Please click here to update and verify your information."
"Your e-mail (or passphrase) will expire soon. To avoid any interruption please click the link below and upgrade your email."
Have you received email with a similar message? It's a scam called "phishing" — and it involves Internet fraudsters who send spam or pop-up messages to lure personal information (credit card numbers, bank account information, Social Security number, passwords, or other sensitive information) from unsuspecting victims.
According to OnGuard Online, phishers send an email or pop-up message that claims to be from a business or organization that you may deal with — for example, an Internet service provider (ISP), bank, online payment service, or even a government agency. The message may ask you to "update," "validate," or "confirm" your account information. Some phishing emails threaten a dire consequence if you don't respond. The messages direct you to a website that looks just like a legitimate organization's site. But it isn't. It's a bogus site whose sole purpose is to trick you into divulging your personal information so the operators can steal your identity and run up bills or commit crimes in your name.
We suggest these tips to help you avoid getting hooked by a phishing scam:
- Don't reply
- If you get an email or pop-up message that asks for personal or financial information, do not reply. And don't click on the link in the message, either. Legitimate companies don't ask for this information via email. If you are concerned about your account, contact the organization mentioned in the email using a telephone number you know to be genuine, or open a new Internet browser session and type in the company's correct Web address yourself. In any case, don't cut and paste the link from the message into your Internet browser — phishers can make links look like they go to one place, but that actually send you to a different site.
- Area codes can mislead
- Some scammers send emails that appear to be from a legitimate business and ask you to call a phone number to update your account or access a "refund." Because they use Voice over Internet Protocol technology, the area code you call does not reflect where the scammers really are. If you need to reach an organization you do business with, call the number on your financial statements or on the back of your credit card. And delete any emails that ask you to confirm or divulge your financial information.
- Use anti-virus and anti-spyware software, as well as a firewall, and update them all regularly
Some phishing emails contain software that can harm your computer or track your activities on the Internet without your knowledge.
Anti-virus software and a firewall can protect you from inadvertently accepting such unwanted files. Anti-virus software scans incoming communications for troublesome files. Look for anti-virus software that recognizes current viruses as well as older ones; that can effectively reverse the damage; and that updates automatically.
A firewall helps make you invisible on the Internet and blocks all communications from unauthorized sources. It's especially important to run a firewall if you have a broadband connection. Operating systems (like Windows or Linux) or browsers (like Internet Explorer or Netscape) also may offer free software "patches" to close holes in the system that hackers or phishers could exploit.
- Don't email personal or financial information.
- Email is not a secure method of transmitting personal information. If you initiate a transaction and want to provide your personal or financial information through an organization's website, look for indicators that the site is secure, like a lock icon on the browser's status bar or a URL for a website that begins "https:" (the "s" stands for "secure"). Unfortunately, no indicator is foolproof; some phishers have forged security icons.
- Review credit card and bank account statements to check for unauthorized charges
- If your statement is late by more than a couple of days, call your credit card company or bank to confirm your billing address and account balances.
- Be cautious of attachments and downloads
- Be cautious about opening any attachment or downloading any files from emails you receive, regardless of who sent them. These files can contain viruses or other software that can weaken your computer's security.
- Forward phishing emails to firstname.lastname@example.org
- You can also forward emails to the company, bank, or organization impersonated in the phishing email — especially if it's particularly realistic. Most organizations have information on their websites about where to report problems. You also may report phishing email to email@example.com. The Anti-Phishing Working Group, a consortium of ISPs, security vendors, financial institutions and law enforcement agencies, uses these reports to fight phishing.
- File a complaint
- If you believe you've been scammed, file your complaint at ftc.gov, and then visit the FTC's Identity Theft website at ftc.gov/idtheft. Victims of phishing can become victims of identity theft. While you can't entirely control whether you will become a victim of identity theft, you can take some steps to minimize your risk. If an identity thief is opening credit accounts in your name, these new accounts are likely to show up on your credit report. You may catch an incident early if you order a free copy of your credit report periodically from any of the three major credit reporting companies. See www.annualcreditreport.com for details on ordering a free annual credit report.
This depends — mostly on how much information you accidentally provided to the phishers.
In addition to reporting the phishing scam, this guide should help:
|I accidentally sent...||You should...|
My email/username & password/passphrase
Change your password/passphrase immediately. For your IU Network ID, visit: At IU, how do I change my Network ID passphrase?
If you're using a free provider (Gmail, Hotmail, etc) and you find an increasingly and uncontrollable amount of spam, you may wish to change your email address as well. Unfortunately, IU is unable to change your Network ID/email address for this reason.
Personal information, such as:
While there's no way to "unsend" the email, many of these pieces of information are changable (especially credit card numbers). Contact the appropriate organization or financial institution. You should also report this as identity theft.
Please note: the theft of a credit card (or credit card number) alone does not constitute identity theft (as determined by the FTC). You should, however, promptly call the financial instiution and have the number changed. You can also work out any erroneous charges on your account.
Also, technically, yes — your address is changable, if you move. However, consider that only as a last resort; most identity thieves attempt to collect thousands (even millions) of individuals' information during phishing scams; they're likely not singling you out as a target. If you feel your personal safety threatened, contact your local police department.
Personal information that isn't changable — such as:
Unfortuntely, there's not much you can do about this except defend yourself (electronically). Visit these pages about reporting identity theft. Being proactive and staying alert/aware of your credit is your best defense.
Indiana University institutional data — or data about others to which I have access.
|Contact the University Information Policy Office immediately to report the incident.|
Forward spam that is phishing for information to firstname.lastname@example.org – and to the company, bank, or organization impersonated in the phishing email. Most organizations have information on their websites about where to report problems.
You also may report phishing email to email@example.com. The Anti-Phishing Working Group, a consortium of ISPs, security vendors, financial institutions and law enforcement agencies, uses these reports to fight phishing.
At Indiana University, report phishing to the University Information Policy Office (firstname.lastname@example.org). Be sure to include the full email headers from the email. While there isn't anything the UIPO can do about your having received the fraudulent message, we can analyze information from the headers and sometimes prevent others at IU from responding to phishing email from the same sender or from connecting to the phishing credential collection site.
- IVR or phone phishing
This criminal technique uses a rogue (IVR) system to recreate a legitimate sounding copy of a bank or other institution's IVR system. The victim is prompted (typically via a phishing e-mail) to call in to the "bank" via a (ideally toll free) number provided in order to "verify" information. A typical system will reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords. More advanced systems transfer the victim to the attacker posing as a customer service agent for further questioning.
A criminal could even record the typical commands ("Press one to change your password, press two to speak to customer service" ...) and play back the direction manually in real time, giving the appearance of being an IVR without the expense.
- Quid pro quo
- Quid pro quo means something for something:
- An attacker calls random numbers at a company claiming to be calling back from technical support. Eventually they will hit someone with a legitimate problem, grateful that someone is calling back to help them. The attacker will "help" solve the problem and in the process have the user type commands that give the attacker access or launch malware
- In a 2003 information security survey, 90% of office workers gave researchers what they claimed was their password in answer to a survey question in exchange for a cheap pen. Similar surveys in later years obtained similar results using chocolates and other cheap lures, although they made no attempt to validate the passwords