Identity theft is a growing issue for Internet users. From time to time you may receive e-mail messages that look legitimate but are not. The messages appear to come from a trusted source but are actually one form of "phishing". Often such emails attempt to "phish" for your account information and password. Caution is always advised and you should protect yourself from online fraud.
What is "phishing"?
Phishing is an online scam involving the use of e-mail messages that appear to be sent from a trusted source such as "the help team", your financial institution, or some other trusted source such as another msu.edu user. Such e-mails are actually being sent by impostors trying to gain access to your personal and financial information. Once the imposter has your information, they may hijack your mail account to use for illegal purposes, or access your bank accounts if you compromise such information.
Spear phishing is a technique that con artists use to specifically target individuals or companies and gain access to private information or accounts. With spear phishing, hackers disguise themselves as a trusted source by sending an email with a request to provide personal information, such as log in and password information. When the person gives the information by replying to the email or via a website link provided, the criminal goes into the account and takes what they want.
Besides the common approach of requesting a response, phishing e-mails often ask you to click on a link to a false web site that asks you to input or confirm your personal and/or financial information such as your account number, credit card numbers, Social Security number, or passwords.
How can you spot a fraudulent e-mail?
There are many ways that you can detect a fraudulent e-mail and prevent becoming a victim of a phishing attack.
- Language and tone. Often times there is a sense of urgency in the tone of a fraudulent e-mail. The message may suggest that without quick response, your account may be suspended from access or threatened in some other way. Pay close attention to the content, it is likely that the message will have unusual wording and contain misspellings. Some may even use incorrect terms for product names or services.
- Requests for personal information. Fraudulent e-mails usually request personal and financial information such as:
- Account numbers
- Credit card and check card numbers
- Social Security numbers
- Usernames and passwords
- Date of birth
- Mother's maiden name
- Other confidential information
- False links to web sites. Be sure that you are on the actual site of the financial institution or trusted business and that it is a secure site. A secure site will have an address that begins with "https:" and a padlock or gold key in the bottom right corner of your browser window. It is recommended that you verify the certificate of the site you are visiting by clicking on the locked padlock or gold key. All MSU web pages that need you to log in with your NetID and password will begin with https: and are secure.
- Verification. Some company web sites provide listings of all of the e-mail communications that are sent so customers can verify the validity of these messages. Opening the home page of a company by typing the web address in the web browser (not clicking on a link in the e-mail) is a good first step. If the e-mail contained information that seems important, then there is a good chance it should appear on company's web site.
- MSU will not send you e-mails requesting personal information. We have this information and it is backed-up off site in case of any physical disaster to our main office.
How to protect yourself from being "phished"
- Be suspicious of demanding messages. Messages that demand immediate response and threaten to suspend or terminate your account should be cause for concern. Legitimate institutions such as MSU or businesses such as banks will not request personal or financial information through an e-mail or a non-secure site. If you are unsure about the message, contact the financial institution or business. Do not use the telephone numbers or e-mail addresses found on the suspected site.
- Always type in the URL of the web site you need. Phishing scams often rely on a reader's tendency to simply click on the links in a message. Often the link(s) listed in the body of information will appear to be legitimate, but will actually take you to the false web sites to gather your information. Protect yourself by entering the web address directly into your browser so that you know that you are visiting the legitimate site.
- Protect your information. Keep passwords, personal or sensitive information in a secure area. For added protection, change your password frequently.
How to report phishing attacks to MSU
Please report the phishing attack to MSU by FORWARDING the e-mail with full headers to email@example.com. Or, use our contact form and paste a copy of the full headers into the form as part of your reporting. Please use the link below to assist you in finding the full headers:
- Finding full e-mail headers for reporting abuse issues (Techbase article 974)
We will use this information to block phishing scams from reaching other MSU e-mail users, as noted in the example in the following section.
What is MSU doing to help prevent phishing and identity theft problems on campus?
In addition to phishing schemes, identify theft can also occur if your login id and passwords are sent over the network in a non-secure manner.
At MSU, the central email system (mail.msu.edu) transmits your login information in an encrypted format via an SSL (secure sockets layer) connection. In addition, all key MSU websites (mail.msu.edu, D2L, STUINFO, and others) use secure http (https) connections.
After MSU receives a report about a phishing scam, we use the information from the full headers of the e-mail to determine where the e-mails are coming from. We will then block these e-mails from reaching any other MSU e-mail addresses.
If you attempt to reply to a phishing message that has already been reported, you will receive an error message that will prevent you from replying to the e-mail. An example is shown below:
Your message did not reach some or all of the intended recipients. Subject: FW: phishers / spam control Sent: 5/12/2008 11:03 AM The following recipient(s) cannot be reached: 'firstname.lastname@example.org' on 5/12/2008 11:03 AM 550 "Address Blocked See http://techbase.msu.edu/article.asp?id=4194"
Important Note: The above error message is only an example. The listed e-mail address will vary.
If you replied to the e-mail and you did not get an error message, do not continue to reply. This phishing address has not yet been reported. Please refer to the previous section above on how to report it to MSU.
If you replied by providing your account id and password, you have become a victim and need to immediately take additional steps, as outlined below.
What to do if you are a victim of a phishing scam
In the event that you responded and provided the solicited information, or have input your information in the fraudulent web site, it is important to act quickly to minimize possible damage to your finances and credit history.
If you have compromised your MSU netID:
- Immediately change your password
- Call IT Services Support immediately
Note: accounts that are hijacked, used for illegal purposes, and that may compromise other users' information may be closed.
If you have compromised other information such as your social security number or banking information:
- Contact your financial institution or trusted business immediately.
- File a police report. Obtain a copy of the written report as proof for creditors.
- After the attack, if your personal information has been compromised you should file a fraud alert with the credit reporting services and perhaps review your credit reports (there are 3 major credit reporting services) to determine if any fraudulent activity appears. The Federal Trade Commission (FTC) has more complete information and instructions. See the link listed below.
Additional resources on phishing
- Information and advice from the Federal Trade Commission (FTC) for dealing with ID theft including phishing.
- Microsoft's security advice pages include a variety of valuable information such as their advice on what to do if you have responded to a phishing scam.
- MSU"s SecureIT site.