Phishing

Snopes.com defines phishing as "a term which refers to the online imitation of a company's branding in spoofed e-mail messages and web sites, created with the intent of fooling unsuspecting users into divulging personal information such as passwords, credit card numbers, PINs, etc. A typical "phish" e-mail will appear to come from a financial institution (such as a bank or credit card company), informing the recipient that some type of problem has affected his account and directing him to follow a provided hyperlink to clear up the problem. The hyperlink leads not to a legitimate site, however, but to a server (usually in another country) on which an imitation web site has been set up. The fooled customer is then prompted to enter confidential personal information (collected by the scammers for perpetrating) identify theft and (usually) redirected to a legitimate web site to obscure the fact that he just gave away data to crooks."

Phishing sites can also include malicious elements that are intended to take advantage of web browser vulnerabilities. Even if you don't enter personal information on the spoofed web site, you could be putting your computer's security in danger simply by clicking on the link in the spoofed message. The best way to protect yourself from phishing scams is to never click on the link in an unexpected or suspicious message you receive.

It's a scary world out there! But, with a little know-how, you can minimize the risks...

The Internet has made the world a much smaller place. While its benefits are tremendous, connecting us to others and to volumes of instant information on any subject anywhere in the world, its downside includes dark alleys frequented by criminals intent on harming you, your computer, and/or your information.

In the physical world, it used to be that you knew which dark alleys or bad neighborhoods to avoid. Today the Internet, with all its benefits, has also brought the dark alleyways to your computer. As such, it takes much more vigilance to protect yourself and your computer from would-be criminals.

Some of the risks you encounter simply by surfing the Internet include, but are not limited to: Identity Theft, viruses and worms that infect your computer, spamming, and spyware infections.

So how do you stay safe? Here are some quick tips:

• Be suspicious of attachments and unexpected e-mail messages.
  • Use antivirus software to scan anything that you receive in your e-mail.
  • True company-based e-mails never send attachments
  • Make sure the link actually goes to their site & not a spoofed one!
• Be careful about clicking on embedded web links in e-mail.
• Be cautious about web sites you visit.
• Don't enter sensitive information on a site you don't trust.
• Make sure online transactions are actually secure (look for the lock on the bottom right of your browser window).
• Don't just click on a link, copy it into your web browser and open it that way - that even includes ITS links in the e-mails we send! (online criminals can hijack your web session and take you somewhere else that may only look like the site you intend to visit).
• Don't click on pop-ups or ads.
• Be wary of e-mails asking for personal or financial information.
• Keep your operating system and antivirus software up to date so that your computer can help you in the fight.
• Don't let your browser be "helpful" by allowing auto fill-out of forms.
• Use common sense. If it sounds weird or too good to be true, it probably is!
• Be wary of unsolicited technical advice.
• Remember, e-mail messages shouldn't be considered secure. Because e-mail can be forwarded to anyone, consider the messages you send public information.
• Always remember to log-off when connecting to secure web sites such as UCCS Webmail and myUCCS portal. If you do not, the next user of the computer may have access to your data.
• Public computers may not always be securely configured and pose a threat to your privacy by storing your password or web cookies. Think twice about going to a secure site if you can not verify the security of the computer.

More tips from the Federal Trade Commission (FTC)

• If you get an e-mail or pop-up message that asks for personal or financial information, do not reply or click on the link in the message. Legitimate companies don't ask for this information via e-mail. If you are concerned about your account, contact the organization in the e-mail using a telephone number you know to be genuine, or open a new Internet browser session and type in the company's correct Web address. In any case, don't cut and paste the link in the message.
• Don't e-mail personal or financial information. E-mail is not a secure method of transmitting personal information. If you initiate a transaction and want to provide your personal or financial information through an organization's Web site, look for indicators that the site is secure, like a lock icon on the browser's status bar or a URL for a web site that begins "https:" (the "s" stands for "secure"). Unfortunately, no indicator is foolproof; some phishers have forged security icons.
• Review credit card and bank account statements as soon as you receive them to determine whether there are any unauthorized charges. If your statement is late by more than a couple of days, call your credit card company or bank to confirm your billing address and account balances.
• Use antivirus software and keep it up-to-date. Some phishing e-mails contain malicious software that can harm your computer or track your activities on the Internet without your knowledge. CU-Boulder has anti-virus software available for current faculty, staff, and students.
• Be cautious about opening any attachment or downloading any files from e-mails you receive, regardless of who sent them.
• Report suspicious activity to the FTC. If you get spam that is phishing for information, forward it to itsecure@uccs.edu.  If you've been scammed visit the FTC's Identity Theft website to file a report and learn how to minimize your risk of damage from ID theft.

Content provided by CU Boulder

How to recognize phishing email messages, links, or phone calls

Phishing email messages, websites, and phone calls are designed to steal money. Cybercriminals can do this by installing malicious software on your computer or stealing personal information off of your computer.

Cybercriminals also use social engineering to convince you to install malicious software or hand over your personal information under false pretenses. They might email you, call you on the phone, or convince you to download something off of a website.

What does a phishing email message look like?

Here is an example of what a phishing scam in an email message might look like.

• Spelling and bad grammar. Cybercriminals are not known for their grammar and spelling. Professional companies or organizations usually have a staff of copy editors that will not allow a mass email like this to go out to its users. If you notice mistakes in an email, it might be a scam.
• Beware of links in email. If you see a link in a suspicious email message, don't click on it. Rest your mouse (but don't click) on the link to see if the address matches the link that was typed in the message. In the example below the link reveals the real web address, as shown in the box with the yellow background. The string of cryptic numbers looks nothing like the company's web address. Links might also lead you to .exe files. These kinds of file are known to spread malicious software.
• Threats. Have you ever received a threat that your account would be closed if you didn't respond to an email message? The email message shown above is an example of the same trick. Cybercriminals often use threats that your security has been compromised.
• Spoofing popular websites or companies. Scam artists use graphics in email that appear to be connected to legitimate websites but actually take you to phony scam sites or legitimate-looking pop-up windows. Cybercriminals also use web addresses that resemble the names of well-known companies but are slightly altered.

Beware of phishing phone calls

Cybercriminals might call you on the phone and offer to help solve your computer problems or sell you a software license. Once they've gained your trust, cybercriminals might ask for your user name and password or ask you to go to a website to install software that will let them access your computer to fix it. Once you do this, your computer and your personal information is vulnerable. Treat all unsolicited phone calls with skepticism. Do not provide any personal information.