Phishing

 

Phishing is a method of trying to get people to give away their personal and confidential information. It is accomplished electronically - usually through email - and is successful because the person requesting the information masquerades as a real company, such as eBay, CIBC, Amazon - or Queen's University.

 

The most common phishing attempts at Queen's are emails requesting your NetID (or username) and password. Giving away this information results in what's known as compromised accounts.

 

Please remember that no legitimate authority at Queen's will ever ask you to divulge your NetID password. It is a violation of the Queen's Computer User Code of Ethics to tell anyone your NetID password.

 

How big a problem is phishing at Queen's?

 

Between September 2010 and February 2011, more than 800 email accounts at Queen's were compromised. By far the most common way this occurs is that the owner of the account freely gives away their NetID and password. 

 

What are the consequences of successful phishing?

 

If you fall prey to a phishing scam directed at your email account, the consequences for the University can be severe. Your email address can be used to send hundreds of thousands of spam emails through the University's email servers. This results in Queen's University being blacklisted and put on the list of known spammers. The outcome of these attacks is that external email services such as Hotmail have blocked or greatly reduced the amount  of traffic allowed from the @queensu.ca email system. Being blacklisted in this manner seriously damages the University's reputation.

 

It is also important to remember that NetIDs and passwords are used to access all sorts of information in addition to email. There are systems at Queen’s that use NetIDs to access data relating to grades, finances, medical information, and a wide variety of other confidential and personal information. When someone gives away their NetID and password, they are potentially making all of this information available to an unauthorized party.

 

Be aware that phishing is not just about stealing your NetID and password. Phishers are also after personal information that could aid them in stealing your identity. Information like your date of birth, your home address, your social insurance number, your driver's license number, even your mother's maiden name, can all be used to access your financial information, open bank accounts, obtain credit cards, and acquire cell phones.

 

How can I recognize phishing emails?

It can be very difficult to recognize phishing emails, but they usually contain one or more of the following characteristics:

 

• You may be directed to a clickable link and instructed to verify your information or provide personal information like your driver’s license or credit card number. If you hover your mouse over a link in a questionable email, the address of the real website you will be directed to appears in the bottom left corner of your screen. You’ll notice that the link is unrecognizable or does not match the company that appears in the email. The link may also have a lot of different characters in it like % and #.
• Frequently the email will contain a threat, for example, that your account will be deleted if you do not respond immediately.
  
• The "From"  and "Reply to" email addresses will not be real addresses of the purported sender.
• Phishing emails usually contain spelling and/or grammatical errors. 
• Company logos may have slight changes in them.

Visit our Phishing Samples page to see specific examples of phishing emails at Queen's.

 

What should I do if I receive a phishing email?

 

• The safest thing to do is never respond to anyone who asks for personal information by email. And yes, this means even if the request appears to come from people or places you know, like ITServices.
• If you aren't certain if the request is legitimate, contact the company directly either by phone or by going to their website.
• Do not click any link within the email as it may take you to a copycat site that will record your information.
• If there is an attachment, do not open it. It could be spyware designed to record keystrokes and send them to another person.

How else can I protect myself?

 The best way to protect yourself is to be aware, be cautious, and observe the following guidelines:

 

• Consider where the email is supposed to come from. Is it against that organization's policy?  For example, ITServices will never ask you for your NetID and password in an email. Similarly, Microsoft never sends updates for their software by email, so any email from Microsoft asking you to “click here” to upgrade your software is a scam. 
• Keep your computer up-to-date. This includes your operating system, your antivirus software, and your anti-spyware software.
• Turn your computer off at the end of the day and over weekends.
• Whenever you enter your personal information on a website, check to ensure that you are on a secure server. To do that:
  • Look at the address field in your browser – a page where you enter your information should begin with https://, which means you are on a secure server.
  • Also, when you are on a secure server, the padlock icon in the bottom right corner of your browser will be locked.

What should I do if I get hooked?

If you think someone else may know your NetID password, you should change it immediately by following the instructions found on the NetID Password Change page. If you have divulged bank or credit card information, contact those companies immediately. 

 

What is Queen’s doing about phishing emails?

The onslaught of phishing emails at Queen's has prompted ITServices to make some changes in the handling of email through the @queensu.ca email system. ITServices is working diligently to adjust the infrastructure of the mail system to prevent as many phishing and spam attacks as possible. Amongst other things, we're now filtering email submitted to mail.queensu.ca on the secure port 465 before it reaches our email servers. We are also applying this filtering to email submitted through webmail.queensu.ca. 

 

ITServices will continue to monitor and fine-tune the email infrastructure to respond to new challenges and demands upon the system. As well, we are working hard to communicate with our stakeholders about the dangers of phishing so we can educate users about safe practices.