In February, some questionable e-mail messages reached the inboxes of many members of the Fordham community. While the e-mail purported to contain useful information from the University, it was really a manifestation of a common cyber-attack known as “phishing.”
Phishing schemes are e-mails, websites and pop-up windows designed to mislead the user into clicking on a link that contains malicious software. Shortly after the February 23 e-mail, the University Information Security Office (UISO) identified it as a phishing e-mail and notified the University community of its contents.
Well-designed e-mail phishing schemes can sometimes temporarily bypass the spam and virus filters in place at Fordham. Though the UISO could not prevent delivery of all of the phishing e-mails, it broadcast the message as a security threat. Fordham e-mail users can protect themselves by using proper precautions.
Phishing scams will appear to be from an organization you normally deal with, such as a bank, government agency or even Fordham University. The message will typically ask you to “update”, “confirm” or “validate” you account information via a URL. This URL will appear to be legitimate, but is in fact bogus.
The following tips are ways to identify spam and phishing scams:
- Fordham University will NEVER ask you for personally identifiable information such as bank accounts, social security or credit card numbers, usernames, passwords, full name and/or date of birth.
- Watch out for phone numbers in e-mail. They could be fake and you may be talking to a thief. To be safe, use the phone numbers listed on your financial statements and/or the back of your credit card.
- Most e-mails from organizations will be addressed to you if they are requesting personal information. Although this is not always the case, be aware of e-mails that are very generic and not specific to you: eg. “Dear Trusted Chase Customer.”
- Most organizations use secure connections when it comes to entering personal information, so always look out for websites starting with HTTPS:// The ‘S’ stands for secure whereas HTTP:// is not a secure connection.
- Always hover your mouse pointer over the Web links to view the actual URL you would be connecting to. The link would be listed in the status bar in the bottom your browser or e-mail. To be safe, manually enter the URL of a trusted site yourself in a new browser window: eg. the link may send you to www.chase1.com when you should manually enter www.chase.com.
- Be aware of any e-mails from Fordham University and/or organizations asking you to open file attachments, as most information is readily available on their website.
- Be skeptical about any and all information in an unsolicited e-mail.
- Avoid opening e-mails with suspicious subject titles or from e-mail addresses you do not recognize.
The UISO maintains several communications channels to inform the Fordham community of phishing attacks when they arise as part of an effort to increase user awareness of malicious cyber-activity, and help users avoid situations that puts University online information at risk.
The UISO recommends that all Fordham users check the Secure IT Blog for regular updates. Users of the popular social networking sites are also encouraged to follow SecureIT on Facebook and on Twitter to stay connected in real-time.