About Creighton  |  Academics  |  Campus & Community  |  Ministry  |  Administration

>  Home  <  Plugged In  <  Articles  <  Security Bytes

Article: Security Bytes

By J. D. Rummel (rummel@creighton.edu)

Recently I did a few in-person sessions with the title: Spam, Scams, Phishing and Pharming. The segment on phishing really got people’s attention. Below is a brief discussion about the topic of phishing and what you need to know about it.

Q. What is phishing?

A. Phishing is a play on the word “fishing” which as we all know is using bait to catch some unsuspecting creature that we intend to clean and then grill. When you are being “phished” on the Internet the goal is to grill you, then clean you out.

Q. So, how does phishing work?

A. It takes a lot of different forms but it often follows this model: You receive an e-mail that looks like it is from some legitimate name (Chase Manhattan Bank, Paypal, etc.) and that mail claims you need to click on a link in order to perform some important task. Sometimes it is about an account balance, sometimes it’s to protect you from hackers (“We need to confirm your PIN/SSN/Account number”). It always looks very official at first glance and it preys upon your sense of order and safety. What reasonable person wouldn’t want to correct an error or protect herself?

Q. So what happens when someone clicks the link?

A. Depends on the code but basically you are taken to some official looking site where you are prompted to enter some kind of information about yourself. The goal of phishing is to get your private information, your bank account number, your credit card numbers or the Holy Grail: your Social Security Number. Once you have surrendered this information you are in for a world of hurt because the bad guys can become you on the Internet. When they do this they are going to spend your money and ruin your credit rating.

Q. Why doesn’t Postini and or DoIT stop these messages?

A. Every system does what it can, but the people who send these things are very aggressive and always on the move. When a source of trouble is recognized Postini adds it to their “black list” of bad messages, but the hackers keep changing the contents of the message and where they are sending from. It’s always a game of catch-up for the good guys. The best defense is for the using public to be aware.

Q. I get those e-mails every now and then. How can I tell if it’s legitimate?

A. First, know that major companies won’t contact you via e-mail in order to ask you for personal information they already have. They are extremely aware of how large this problem is and frequently employ whole offices whose only job is to deal with this fraud. However, in any message there are signs to look for:

1. Does the message address you by name or some polite generic (Dear Valued Customer)? Think about it. If you are their customer they know your name.
2. How’s the grammar? If some of the sentences are poor, if subject and verb don’t agree that should wave a flag for you. Big companies can probably afford a proofreader.
3. Do a “mouseover” on the web address they want you to go to. Guide your mouse pointer over the text (don’t click on anything) and you should see the actual link. If it has string of numbers (http://65.48.234.134) or some unprofessional name (http://hotshots.baby.org/~bobbymac/paypal.htm) run away.

Q. Should I just throw these messages away?

A. Generally speaking, yes. However, if you are planning to report the problem then whoever investigates may want to see the offending mail or will ask you to forward the message.

Q. Where do I report these messages?

A. Forward spam that is phishing for information to spam@uce.gov and to the company, bank, or organization impersonated in the phishing email. Most organizations have information on their websites about where to report problems.

Q. How big is this phishing problem?

A. It’s huge and growing. These fraudulent messages go out in the millions every time they are launched. If only one percent of the recipients click on them the potential for loss is gigantic (if you are a crook the potential for profit is equally impressive).

Some things to think about:

• Don't reply to email or pop-up messages that ask for personal or financial information, and don't click on links in the message.
• Don't cut and paste a link from the message into your Web browser. Phishers can make links look like they go one place, but that actually send you to a different site
• If you are concerned about your account, contact the organization in question using a phone number you know to be genuine, or open a new Internet browser session and type in the company's correct Web address yourself.
• Only send sensitive information over connections that use the https prefix. If that trailing-s- is missing it is not a secure site.
• Use anti-virus software and keep it up to date.
• Never email personal or financial information.
• Review credit card and bank account statements as soon as you receive them to check for unauthorized charges.
• Be cautious about opening any attachment or downloading any files from emails you receive, regardless of who you think sent them.

That’s all for this edition. Remember: Secre is not a word (because it can’t be secure without U).

Plugged In highlights go here, news, initiatives, spotlight, designed to draw the user who is done finding or browsing, further into our content.