ITS Security Home
Best Practices
Protecting Your Home Computer
Phishing
Identity Finder
Online Safety Presentation
Password Changes
Policies
Staff
Emergency Notification
(UNI Alert)
|
|
Phishing
Phishing attacks use a combination of emails or instant messages and malicious websites to
solicit personal information (i.e., they are "fishing" for information). A phishing attack
will typically attempt to emulate the look of a genuine website and email. Often, the
phishing attack will try to convince the reader that they must act immediately or face some dire
consequence. Recently, phishing scams have become more common on social networking sites.
If you receive a phishing scam in your UNI email, please forward the email to
phishing@uni.edu.
To view examples of pishing attempts directed at UNI users, see the
Phishing Examples page.
Remember these tips:
- Never provide your passwords to anyone. UNI and other institutions will not ask for your
password. If asked for your password by phone or email, end the conversation
immediately.
- UNI disables email accounts based on a user's status (no longer enrolled or employed) with UNI,
not by account usage. UNI will not send out notices requiring people confirm their
information to keep their email account.
- Never send your Social Security number, credit card numbers, driver's license numbers, bank
account numbers, or passwords via email or instant messaging under any circumstances.
- Never click links in emails from unknown senders.
- Instead of clicking links in emails, go to the purported site directly. For example, if
you get an email supposedly from Amazon asking you to log into your account, do not click the link
in the email. Instead, open your web browser and type Amazon's address in manually or use a
bookmark you've created.
- If it sounds too good to be true, it probably is.
- Use sound judgment. Ask yourself if a particular request received makes sense.
- While not universal trait, many phishing attempts include poor spelling and grammatical
errors.
- Use up-to-date browsers and software. Many will now warn when visiting known phishing
sites. Unfortunately, these anti-phishing features are not fool-proof and cannot protect
against all threats.
- Note the URL of websites you visit before providing information. Often, phishing sites
will use a domain with a variation in spelling or use a misleading sub-domain. For example, a
phishing site may use a URL like www.yourbank.fakesite.com.
- Be very suspicious of any website, email, phone call, or instant message that requests you
verify your information--especially if it is information an organization would not forget (account
numbers, usernames, passwords, social security numbers, etc). It is slightly more common for
organizations to ask you to verify your phone number, address, or email address as these can
change, but they will usually present you with information they have on file, which you should
recognize as your current or former information.
- If you find yourself unsure if an email is a phishing attempt, play it safe and call the
organization directly using a known good number.
If you think you may have fallen for a phishing scam, contact the organizations where the
information could potentially be used. For example, if you provided a username and password
for your bank to a phishing site, contact your bank. If you provided your personal
information, like your social security number, contact the credit bureaus. For more
information on specific scenarios, see
http://www.antiphishing.org/consumer_recs2.html.
In some cases you may need to file a police report and contact the FTC. ITS has
government-provided documentation for identity theft victims, if you need these documents, contact
security@uni.edu.
If you think you have fallen for a phishing scam and provided information about UNI or your UNI
accounts, immediately contact ITS at 3-5555 and notify your supervisor.
For more information:
|
