Skip Navigation Links 
 
Was this page helpful?
 [+]





...Or log into AskIT
and request help.

Posted: 10/3/2008 15:47

Cyber Security Awareness Month 2008 - Week 1 - Phishing Scams

Phishing scams are typically fraudulent email messages appearing to come from legitimate enterprises (e.g., your university, your Internet service provider, or your bank). These messages usually direct you to a spoofed web site or otherwise get you to divulge private information (e.g., password, credit card, or other account updates). The perpetrators then use this private information to commit identity theft or use the email account for sending spam or other fraudulent messages.

Phishing scams are crude social engineering tools designed to induce panic in the reader. These scams attempt to trick recipients into responding or clicking immediately, by claiming they will lose something (e.g., email or bank accounts). Such a claim is always indicative of a phishing scam, as responsible companies and organizations will never take these types of actions via email.

An example of a phishing attempt is an email message which states that you are receiving it due to fraudulent activity on your account, and asks you to "click here" to verify your information. For an example of a phishing scam targeted at University of Arkansas, see below.

Avoiding phishing scams

Be suspicious of any email message that asks you to enter or verify personal information through a web site or by replying to the message itself. Never reply to the message or click the links in the message. If you feel the message may be legitimate, go directly to the company's web site (i.e., type the real URL into your browser) or contact the company to see if you really do need to take the action described in the email message.

When you recognize a phishing message, delete the email message from your Inbox, and then empty it from the deleted items folder to avoid accidentally accessing the web sites it points to.

Always read your email as plain text. Phishing messages often contain clickable images that look legitimate; by reading messages in plain text, you can see the URLs that any images point to. Additionally, when you allow your mail client to read HTML or other non-text-only formatting, attackers can take advantage of your mail client's ability to execute code, which leaves your computer vulnerable to viruses, worms, and Trojans.

Warnings

Reading email as plain text is a great way to avoid some phishing messages, but it won't protect you from them all. Some legitimate sites use redirect scripts that don't check the redirects. Consequently, phishing perpetrators can use these scripts to redirect from legitimate sites to their fake sites.

You can report these phishing scam attempts to the company that's being spoofed. You can also send reports to the Federal Trade Commission (FTC).

Example of a phishing scam

The following phishing scam was targeted at University of Arkansas Webmail users:

From: UARK INTERNET SUPPORT 
Reply-to: iuark@yahoo.com
To: @uark.edu
Date: Sat, 17 May 2008 03:54:34 -0300
Subject: Confirm Your E-mail Address


Dear Uark Webmail User,


    To complete your Account Verification process, you are to reply
this message and enter your password in the space provided
(*******),you are required to do this before the next 48hrs of
receipt of this e-mail, or your Webmail Account will be de-activated
and erased from our database. Your account can also be verified at:
https://uamail.uark.edu/imp/login.php
Thank you for using UARK Webmail Service.


UARK INTERNET SUPPORT