Information Systems FAQ

What is phishing?

Phishing is a prevalent form of identity theft. Phishers typically send an e-mail informing you that something needs to be fixed or validated with your account and asking you to go to a website where you can enter account information. The e-mails are worded to give the impression that they are from a legitimate company or organization, but IT'S A SCAM! Phishers want you to believe that someone is helping you, such as the Help Desk, Account Manager, Systems Security, IT Services, credit card company, bank, etc., when they really want your account info. Phishers also often try to create a sense of urgency by threatenting negative consequences if you do not respond to their message. For example, the e-mail may tell you your account has been closed and you must now restore it, or it may indicate that the account will be closed if you do not comply.

Don't take the bait! Your information can be used in a variety of fraudulent ways, such as

• Charging purchases to your credit card account
• Withdrawing funds from your bank account
• Opening new credit accounts in your name and charging to the limit
• Gaining unauthorized access into the university's computer network to gain access to our e-mail server, which can then be used to launch more spam/phishing attacks. The e-mail server can get so flooded with the resulting spam that service can be very seriously impaired. Successful phishing incidents have actually resulted in e-mail delays on our own campus, impairing everyone's ability to do their jobs effectively. Many colleges and universities around the country are struggling to control this growing problem.

In addition to e-mail phishing, you might see phishing scams:

• on a social networking site, like Facebook
• in your instant message program
• on your cell phone or regular phone
• on fake websites made to look like legitimate sites
• in a pop-up while you're on a legitimate web site
• in a Twitter message that links you to a fake Twitter log-in page (read more about this scam here)

Phishing Examples

Following are two examples of recent phishing attempts sent to UIndy e-mail addresses. Many additional real-life phishing examples are available in the Anti-Phishing Working Group (APWG) Archive.

Example 1.

Click here to see what's "phishy" about this e-mail.

From: enroll@usbanks.com
To: tbusch@uindy.edu
Sent: Tuesday, December 9, 2008 9:26:11 AM GMT -05:00 US/Canada Eastern
Subject: US Bank - Verified by Visa Enrollment

Dear US Bank Customer

Your US Bank card has been automatically enrolled in the Verified
by Visa program
To ensure your Visa card’s security, it is important that you
protect your Visa card online with a personal password. Please
take a moment, and activate for Verified by Visa now.

Verified by Visa protects your existing Visa card with a password
you create, giving you assurance that only you can use your Visa
card online.
Simply activate your card and create your personal password.
You’ll get the added confidence that your Visa card is safe when
you shop at participating online stores.

Please click the link below Activate Now for Verified by Visa

http://ngg.ro/usbank/

We present our apologies and thank you for co-operating.
Please do not answer to this email - follow the instructions
given.
These instructions have been sent to all bank customers and it's
obligatory to follow.
- 2008 US Bank Service Department

* Please note: If you FAIL to update your Visa card, it will be
temporarily disabled.

Example 2.

This example appears to be an official communication from Huntington Bank, even using an official-looking logo. Click here to find out what's "phishy" about this e-mail and what would happen if you clicked on the link to the "Resolution Center."