How Email Deception Works
REMINDER: Exercise Caution with Email Phishing Scams
Phishing scams are not uncommon on campus. Here is a list of the most recent ones we've seen:
- January/February 2014: Multiple scams claimed the recipient's incoming emails were being placed on "hold/pending status due to the recent upgrade in our database" and then asked the recipient to click on a link.
As always, you are asked to exercise extreme caution when dealing with emails from unfamiliar senders or with suspicious content.
Aside from the inconvenience of having your inbox fill with spam, falling victim to a phishing scam can have serious consequences including:
- the exposure of your personal information as well as sensitive university information to hackers
- the installation of viruses and malware on your computer
- the exposure of other employees' mailboxes to potential infection
- the potential for your mailbox to be used to send spam, which can "blacklist" the university as a sender and receiver of email
How to Recover
The process of recovering from a phishing attack and regaining access to your email can be a significant disruption that includes:
- taking an internet security course
- changing your password
- having your computer scanned for malware
How to Protect Yourself
- If you receive an email you do not recognize, in terms of the content or the sender, delete it immediately and do not click on any of the links or provide any information.
- When an email directs you to a website that requires your username, password (or any other sensitive information), DON'T CLICK. Use a bookmark or type in the address to be sure you're going to the right place. A legitimate business will never send email asking you to "verify your login credentials."
- If you get a "friend request" from someone you don't know, DON'T CLICK. You don't need that kind of friend, and you can always login to see if you have any pending requests.
- If a message says your email to so-and-so didn't go through, and offers you a link to find out why, DON'T CLICK. Make sure you really sent such an email. If you did, contact them by other means and verify the address.
- And in general, if an email message urgently directs you to do something, right now, DON'T DO IT!. Picking up the phone and calling your bank or your friend will put your mind at ease, and spare you a world of hurt.
It's natural to want to find who hacked your email and why. Begin by recovering your account and securing it. But then, just let it go. There's almost nothing you or I as individuals can do to find out who hacked you.
To recover your account once you've been deceived by a suspicious message such as a hoax, phish, scam, hijack, or spoof, just change your password by clicking the "Change password" link below the Login button on any BYUI Login page. For more information about each type of hack, read on:
Phishing: Pronounced "fishing," is an attempt to trick you, by impersonating someone you trust. More specifically, it's the act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. Find more information at the following sites:
- Consumer Advice
(from the Anti-Phishing Working Group)
- How to recognize phishing email messages, links, or phone calls
- List of reply addresses being used in phishing campaigns
- Is this email asking me to validate my password legitimate?
- Can you sport the 5 problems with this email from Amazon?
- Phishing Quiz
Hoax: An untrue, invalid, or outdated email message written to convince the recipient to send the message to others.
- http://urbanlegends.about.com/cs/vir...esaz/index.htm A-Z listing of Virus Hoaxes
- http://antivirus.about.com/library/blenhoax.htm - Hoax Encyclopedia
- http://www.vmyths.com/hoax.cfm?page=0 - Hoaxes A-Z
Scam: A scheme designed to defraud an individual or corporation. The agents typically promise a large return with little or no risk involved.
Spoofing: To make a transmission appear to come from a user other than the user who performed the action.