University of Notre Dame > OIT

Office of Information Technologies

services banner

Email
Passwords & Accounts
Voice, Data, Video
Clusters/Classrooms
Calendaring
Training
Print/Scan/Copy
Center for Research Computing (CRC)
Presentation Technologies
WebEx
Security
Course Management
Shared File Space
Web Publishing
Software
Equipment
Support
Corporate Data
Policies

security banner

RSS Feed
Subscribe to the OIT Security Alerts RSS Feed

Phishing

What is it?
How did they get my email address?
What's the big deal if I give them my username (NetID) and password?
What are some examples of phishing?
 What do I do if I receive a suspicious email?
What if I already provided my personal information?
Can you recognize a phishing scam?
What is OIT doing about these scams?
Where can I go for more information?

What is it?

Phony emails are sent to addresses across the Internet that appear to be from reputable organizations, but are not. The emails are actually from criminals who are attempting to lure you to provide your personal information, such as social security numbers, debit or credit card numbers, usernames and passwords or other personal information. Often both the emails and the web pages they direct you to look just like you would expect to receive from that organization, as the logos and formats have been copied.

It's called phishing because the criminals are broadcasting phoney emails to large numbers of addresses, and they're hoping the recipients will "take the bait". The emails will either try to entice you with promises and great deals, or scare you into providing the information.

It's important to note, that the company that is being spoofed has nothing to do with the scam. Their name is just being used to coax you into the scheme.

How did they get my email address?

Schools, government agencies and some businesses and associations post staff, student and other email addresses on the Internet. Sometimes people use their email addresses when posting to web pages, blogs or online forums. Sometimes, people click on the "unsubscribe" buttons in spam email, thus providing the phisher with a valuable acknowledgement that your email address is correct!

To see where the phishers may have obtained your email address go to www.google.com, and in the search field, enter the following. Be sure to include the quotation marks and ampersand (&) to increase the accuracy of your search. Substitute your own information for the placeholders in the search strings.

"your_last_name" & "@the email domain name where you received the phishing email.<edu><com><org><gov>"

An example would be:

"doe" & "@nd.edu"

Any listings of your email address that appear are a potential source used by phishers and spammers to get your email address.

 What's the big deal if I give them my username (NetID) and password?

In the case of banking the results are obvious, the person now has access to your money; however in a university what they gain access to is a bit different and could cause damage to both yourself and others. They could potentially gain further information about you and your friends/coworkers that could be used to further steal identities. They gain access to your email, allowing them to read and send messages on your behalf, including high quantities of spam.  They will have access to ND services that you are authorized to use and could do things like change your insurance beneficiaries, emergency contact information, change your course selections, etc.  They could also lock you out of your account by changing your password.

What are some examples of phishing?

If you receive email soliciting confidential information such as your password, Social Security Number, credit card number or other sensitive information and they instruct you to send it via email, this is likely a scam. E-mail messages travel over the Internet in an insecure manner and sensitive information should not be sent via email. Notre Dame will NEVER request this information from you via e-mail. Some examples of phishing that have recently been found in nd.edu mailboxes can be seen here.

What do I do if I receive an email that looks suspicious?

If the email appears to be from an organization you do not currently do business with, discard it. If it appears to be from an organization (e.g. your financial institution), contact that organization for instructions. It is important that you NOT use the phone numbers, web and email addresses included in the suspicious email, as they may not be legitimate, but could connect you with the criminals. Use officially published addresses and phone number from the institution you do business with.

What if I already provided my personal information?

If you provided debit or credit account information, contact your financial institution immediately. If you have provided your username and or password, contact the institution or organization that the account is associated with and they can assist you in resecuring your account. You should also review the information and instructions about Identity Theft at http://secure.nd.edu.

Can you recognize a phishing scam?

Check out the Phishing Quiz

What is OIT doing about these scams?

With each new email scam that we observe, OIT system administrators analyze the message and make configuration changes to attempt to block future messages, while being careful NOT to block legitimate email. Unfortunately, it is impossible to predict exactly what the next scam will look like or where it will come from, so we are uable to stop some of these messages from getting through to your mailbox. When they do, use the delete key.

http://www.antiphishing.org/
http://www.sec.gov/investor/pubs/phishing.htm
http://pages.ebay.com/education/spooftutorial/
https://www.paypal.com/cgi-bin/webscr?cmd=p/gen/email-security-outside
http://www.usdoj.gov/opa/pr/2003/May/publicadvisory1.pdf
http://www.ftc.gov/bcp/edu/microsites/idtheft/
http://www.microsoft.com/athome/security/email/phishing.mspx

 
 

Office of Information Technologies - University of Notre Dame
P.O. Box 539, Notre Dame, IN 46556    Phone: 574-631-5600   Email: oit@nd.edu