& CC recently experienced a massive spam attack triggered by a phishing message sent to a CC student’s email account. Unfortunately, the student thought it was legitimate and replied with both username and password, giving the hijackers free access to the account, which sent out many thousands of emails before we were able to stop it. Accordingly, we wanted to send everyone a reminder about how to spot and avoid phishing scams. As more important information makes its way into digital form, access to that information on networks becomes more important to protect.  As network security improves, the weakest link (and thus easiest way to break in) has become user passwords.

Phishing scams are emails designed to trick you into providing sensitive personal information such as your password, credit card numbers, account numbers, etc.  They are becoming more and more sophisticated, and can be difficult to distinguish from a legitimate message.  If you’re interested in reading more about phishing, http://en.wikipedia.org/wiki/Phishing is a good resource.

That said, there are a few things to keep in mind which will help keep you (and our network) safe:

1) ITS will never ask for your password, username, social security numbers, etc.  In fact, no legitimate bank, business, or organization will EVER email you asking for this information.  If you see such a request, a red flag should immediately go up in your mind that the message is a scam and you should not respond.  If you believe it might be legitimate, contact the organization by phone and tell them you are not comfortable sending such information over email.

2) Do not make the mistake of blindly trusting an email because it appears to come from someone you know or an institution with which you correspond.  Email addresses are very easy to spoof, and it’s a very common tactic for phishers to spoof real email addresses in order to make it more likely that their phishing emails will trick people.

3) Do not trust links – they can very easily be masked to appear to be something they are not.  For example, you may see a link to https://wellsfargo.com/myaccount and assume it is legitimate, when in fact that link actually points to something completely different.  At the very least, mouse over a link without clicking on it – you’ll see a small window pop up which tells you where that link really points.  Check the mouseover display to confirm that it matches the text of the link before clicking (try it on the example above – it certainly does not point to the address it seems to).

Here are a few common phrases used in phishing messages you should watch out for:

* “Please verify your account”
* “If you don’t respond within 48 hours, your account will be closed / canceled”
* “Click the link below to access your account”
* “Click the link below to update your information”
* “Click the link below to claim your prize”

It pays to be cautious with your personal information – if anything seems suspicious about a message, you’re much better off assuming that it IS a scam and confirming before clicking or replying than you are shrugging and saying “nah, I’m just being paranoid.”