Phishing Security Notices
Many affiliates of Valdosta State University have been the recipients of a "High Tech scam" known as "phishing".
Some students, faculty, or staff may have received an email recently with a subject " VERIFY YOUR VALDOSTA.EDU WEBMAIL ACCOUNT". The contents of this email requested user information ranging from one's username, password, security question/answer. The sender of this email claimed that the information was needed to verify that one's email address was still in use.
What Is Phishing?
Phishing involves an email user receiving a notice of an urgent nature usually from a financial institution. The notice will request verification of the user's account by clicking an included link or visiting a "realistic" website complete with the company logos and other trademarks. Often, the user is requested to complete a form that may include credit card numbers, bank account information, social security numbers, PINs, or other types of sensitive information.
Phishing is not limited to individuals posing as financial institutions. In some cases, a phisher will pose as a representative of a religious organization or a representative of a user's place of employment. All attempts of these nature will either include an attempt at getting your account information or your personal identification information.
However realistic the form or request may seem (see examples above), users should not be deceived by such notices and should be aware that such notices are frauds or scams. The best way to make sure you’re dealing with a merchant you trust, and not a charlatan, is to initiate the contact yourself. Type the merchant’s address into your Internet browser instead of clicking on a link in an e-mail.
For information about “phishing” go to the Federal Trade Commission document titled “How Not to Get Hooked By a Phishing Scam” or Avoiding Social Engineering and Phishing Attacks published by US-CERT.
Other examples of these scams are:
What If I Am a Victim of Phishing?
Depending on the target of the phisher, you may need to immediately contact the appropriate party. If you provided a username and/or password for an online account, it may be a simple matter of logging into your account and changing your password (be sure to change the password to any other resource you use that may be using the same password you gave out). If, however, you were tricked into providing your account information for a financial institution, the matter will be more complicated and urgent. You will need to contact your financial institution immediately and report the incident. Each company may have a different set of procedures in handling the situation, but it will likely boil down to you closing your account. In the case of having given our your social security number, you will need to contact the credit reporting agencies to alert them to the possibility of identity theft.
Phishing attempts should be reported to Information Security. If the user does not wish to report the fraudulent attempt, the email should be deleted. When reporting the email, the header information (normally not shown) is extremely important and must be kept in it's original format. One of the easiest methods of keeping the email intact is to forward the original attempt as an attachment. Directions for forwarding email messages as attachment can be found on the Information Technology Helpdesk website.