Recently, an increasing number of emails have been sent to Queen's University email addresses asking faculty, staff and students to verify their account NetID and password. If you receive an email asking for your NetID and password, below is a list of responsible practices recommended by ITServices:
Please remember that no one at Queen's University will ever ask you to provide your account and password via an email. These emails hook you because they often contain a threat that your email account will be terminated unless you reply promptly. Be suspicious of all email asking for your NetID password and other personal information no matter how legitimate the email sender name or address may appear! There are real consequences for you personally, referred to as identity thieft and described in the "Phishing Scams" article below. There are also real consequences for campus email services, especially if your NetID is then used to send hundreds of thousands of spam email messages out from your Queen's University email address. This has resulted in the Queen's University email server being blacklisted and put on the list of known spammers. As a consequence, other institutions that use these blacklists also automatically block all email from Queen's University. Not only is this embarrassing for the University, but it seriously interferes with the day to day business of Queen's.
Below is an example of a fraudulent email recently sent to a number of email addresses at Queen's in an attempt to steal passwords by trying to appear authoritative. The email is a real example that has been used recently in what we call a "phishing" (pronounced "fishing") attack. A phishing email, such as the one below, is nothing more than an attempt to get people to send their NetID, password and date of birth. Out of hundreds of emails, the thief hopes that a few people will comply and send their personal information and password. Please notice that many, but not all, of these phishing emails contain poor grammar and spelling errors. Most do contain a threat of account termination if a reply is not received.
Example of Phishing Email
The following article titled, Phishing Scams, provides more information on phishing and was previously published in the March 26, 2007 issue of The Gazette by George Farah, Information Systems Security Manager, ITServices.
Recent events on campus have made the threat of phishing scams very real. This article will describe phishing, how to prevent it, and what to do if you fall victim.
What is “phishing”?
Phishing is a term to describe a very popular form of communication scam that is currently a big problem. Email is its most common form, but it can also be “snail mail”, that appears legitimate and is asking you for a justifiable request. The purpose of phishing is to gain personal information from you that is then used to conduct identity theft. Identity theft occurs when someone uses your personal information illegally to obtain access to your financial information or pretends to be you (spoofing) to obtain credit cards in your name. Identity theft is one of the fastest growing criminal activities in Canada.
How can I recognize phishing emails?
The most important thing you can do is be aware of these scams and be suspicious of every message you receive from an unknown source. Often they look very legitimate with the logos, slogans or other identifying marks of a real company like eBay, CIBC or Amazon. You are directed to a clickable link where you may be instructed to verify your information or provide personal information like your driver’s licence or credit card number. If you highlight that link, the address of the real web site you will be directed to appears in the bottom left corner of your screen. You’ll notice that the link is unrecognizable or does not match the company that appears in the email. The link may also have a lot of different characters in it like % and #. Other characteristics of scams are spelling errors and slight changes to logos. Remember that Microsoft never sends updates for their software by email, so any email from Microsoft asking you to “click here” to upgrade your software is a scam.
How do I protect myself?
The best rule of thumb when you receive one of these messages is to delete it. Do not open it, do not click anywhere in the message. Once you’ve deleted it, empty your deleted items folder. If you are not sure if a request is legitimate or not, contact the company yourself by searching their Web site – do not click on the link to the Web site in the email. Another good practice when entering your personal information on a Web site is to check that you are on a secure server. To do that, look at the address field in your browser –a page where you enter your information should begin with HTTPS, which means you are on a secure server. Also, when you are on a secure server, the padlock icon in the bottom right corner of your browser will close.
What if I get hooked?
If you are the victim of identity theft, it’s important you contact the police in your area and report it. You can also report the incident to Phonebusters, the Canadian anti-fraud centre (www.phonebusters.com). There is also an anti-phishing work group (www.antiphishing.org) that is building a database of phishing cases to help inform people of the risks. This is a serious crime with very real consequences for the people who get hit.
What is Queen’s doing about phishing Emails?
ITServices has an industry standard list of identified spam that we keep up to date. This list is used by our spam filters to block these messages from entering our Queen’s Email system. Unfortunately, not all of them are identified and some pass through as regular Email to a recipient. Hence your awareness is critical to your ability to protect yourself.
Copyright Queen's University
Kingston, Ontario, Canada K7L 3N6 613.533.2000