IS warns don’t take online ‘phishers’ bait
By Bob Shaffer
JUNE 22, 2007--Phish-ing (fish’ing). Webster’s dictionary defines it as the practice of luring unsuspecting Internet users to a fake web site by using authentic-looking email with the real organization’s logo, in an attempt to steal passwords, financial or personal information.
The threat is very real and present here at UTMB. Fortunately, most of the phishing attempts are caught by our spam filter and/or the web site that unsuspecting victims are directed to is quickly shutdown by authorities. But there are no guarantees.
Standard practice to test the effectiveness of a state agency’s information security awareness program is to send out pre-approved “test” phishing scams. During the test of one agency, phishing emails were sent to fifty network users. The email appeared to come from the agency’s helpdesk and requested that recipients click on the embedded web link to reset the password, the web link provided in the email sent users to an authentic looking website on an entirely different network. Of the fifty emails sent out, forty-four users responded and forty-four account names and passwords were obtained.
To avoid being lured into the trap, here are some easy-to-remember tips to protect you from phishing attempts, identity theft and fraud.
- Be suspicious if someone contacts you unexpectedly and asks for your personal information. It’s a warning sign that something is “phishy.” Legitimate companies and agencies don’t operate that way.
- Don’t click on links in emails that ask you to provide personal information. To check whether an email or call is really from the company or agency, contact it directly by phone or online using an email address or phone number verified independently of the questionable email.
If you think you’ve been a victim of a phishing attempt:
- If you provided account numbers, PINs, or passwords to a phisher, notify the companies with which you have those accounts immediately.
- If you provided the password to your UTMB computer account, change it immediately and contact the Information Security Officer (iso@utmb.edu)
Put a “fraud alert” on your files at the credit reporting bureaus. For information about how to do that and other advice for ID theft victims, contact the Federal Trade Commission’s ID Theft Clearinghouse at www.consumer.gov/idtheft or toll-free, (877) 438-4338. The TDD number is (202) 326-2502.
Even if you didn’t get hooked, you should immediately report any phishing attempts to the Information Security Officer so that further action can be taken to protect the staff of UTMB.
Learn how to protect yourself from phishers at www.phishinginfo.org, where many of these tips originated.
Bob Shaffer is UTMB’s Information Security Officer.