Phishing attacks use a combination of emails or instant messages and malicious websites to solicit personal information (i.e., they are "fishing" for information). A phishing attack will typically attempt to emulate the look of a genuine website and email. Often, the phishing attack will try to convince the reader that they must act immediately or face some dire consequence. Recently, phishing scams have become more common on social networking sites. If you receive a phishing scam in your UNI email, please forward the email to email@example.com.
To view examples of pishing attempts directed at UNI users, see the Phishing Examples page.
Remember these tips:
- Never provide your passwords to anyone. UNI and other institutions will not ask for your password. If asked for your password by phone or email, end the conversation immediately.
- UNI disables email accounts based on a user's status (no longer enrolled or employed) with UNI, not by account usage. UNI will not send out notices requiring people confirm their information to keep their email account.
- Never send your Social Security number, credit card numbers, driver's license numbers, bank account numbers, or passwords via email or instant messaging under any circumstances.
- Never click links in emails from unknown senders.
- Instead of clicking links in emails, go to the purported site directly. For example, if you get an email supposedly from Amazon asking you to log into your account, do not click the link in the email. Instead, open your web browser and type Amazon's address in manually or use a bookmark you've created.
- If it sounds too good to be true, it probably is.
- Use sound judgment. Ask yourself if a particular request received makes sense.
- While not universal trait, many phishing attempts include poor spelling and grammatical errors.
- Use up-to-date browsers and software. Many will now warn when visiting known phishing sites. Unfortunately, these anti-phishing features are not fool-proof and cannot protect against all threats.
- Note the URL of websites you visit before providing information. Often, phishing sites will use a domain with a variation in spelling or use a misleading sub-domain. For example, a phishing site may use a URL like www.yourbank.fakesite.com
- Be very suspicious of any website, email, phone call, or instant message that requests you verify your information--especially if it is information an organization would not forget (account numbers, usernames, passwords, social security numbers, etc). It is slightly more common for organizations to ask you to verify your phone number, address, or email address as these can change, but they will usually present you with information they have on file, which you should recognize as your current or former information.
- If you find yourself unsure if an email is a phishing attempt, play it safe and call the organization directly using a known good number.
If you think you may have fallen for a phishing scam, contact the organizations where the information could potentially be used. For example, if you provided a username and password for your bank to a phishing site, contact your bank. If you provided your personal information, like your social security number, contact the credit bureaus. In some cases you may need to file a police report and contact the FTC. ITS has government-provided documentation for identity theft victims, if you need these documents, contact firstname.lastname@example.org.
If you think you have fallen for a phishing scam and provided information about UNI or your UNI accounts, immediately contact ITS at 3-5555 and notify your supervisor.
For more information:
- FTC site on identity theft - http://www.ftc.gov/bcp/edu/microsites/idtheft/
- US Dept. of Justice site on identity theft - http://www.usdoj.gov/criminal/fraud/websites/idtheft.html
- Examples of phishing attempts - http://www.identity-theft-help.us/phishing.htm