Phishing Scams Information
Phishing is a process used by thieves who impersonate a corporation or trusted institution (like Emporia State University), intended to extract passwords or other sensitive information from you. When someone replies to a phishing e-mail or clicks on a fake website link in a HOAX email, they are doing so because they have been FOOLED. The reader truly believes the e-mail is a legitimate e-mail from IT, the ESU Webmaster, or from Emporia State University in general.
Phish e-mails are becoming more and more detailed to fool readers into believing they are reading a legitimate e-mail or visiting an ESU web site. This means people need to be on guard more than ever when reading and replying to e-mail. Just because an e-mail LOOKS legitimate does not always mean it IS legitimate. These fake sites are bait, presented to fool you into divulging your personal information.
ESU uses a SPAM filter to help cut down the number of phishing e-mail, but spam filters can only catch some of the fake e-mail. The best defense to phishing e-mail is you - the individual user. Never give out identity information (passwords, Social Security number, PIN numbers, financial account information) via ESU e-mail. No one at ESU will ask you to give us your password to verify your account information. It is against Emporia State University policy to share your password - with anyone (including IT).
What happens if you do respond to a phishing attempt? You first need to change your password to something you have never used; then, contact the Information Security Officer for further instructions. If the university is able to determine through various mechanisms that your e-mail account is being used to send SPAM, your account's password will be changed and you will need to contact the IT HelpDesk before you will be able to access e-mail, the network, Buzz In or Blackboard.
Is getting access to my account really that unsafe? Yes. Someone with your username and password can access your personal information in Buzz In, including your pay stub and direct deposit information, your financial aid records, grades, home address, and more. With your account information, someone can steal your identity, change your course schedule, gain access to other records, and access your files on your HOME directory or your department's SHARED directory.
Are there any instances in which IT will ask me for personal identity information by e-mail? No. IT will not ask you to reveal your password (or other sensitive information) through e-mail or phone. You may be asked to change your password, but you will never be asked to disclose it.
How do I recognize phishing emails? Scam tactics are increasingly sophisticated and change rapidly. Even if a request looks genuine, be skeptical and look for these warning flags:
- The message is unsolicited and asks you to update, confirm, or reveal personal identity information (e.g., full SSN, account numbers, passwords)
- The message creates a sense of urgency
- The message has an unusual FROM address or an unusual REPLY-TO address instead of an "@emporia.edu" address
- The (malicious) web site URL doesn't match the name of the institution that it allegedly represents (e.g., emporia.edu)
- The web site doesn't have an "s" after "http://" indicating it is not a secure site
- The message is not personalized
- There are grammatical errors
If you have any doubts whether an e-mail is legitimate, do not respond or click the link. Check FIRST with the IT HelpDesk (x5555) or Information Security Office! Do not fill out or use forms that are embedded in the body of an e-mail (even if the form appears to be legitimate). Do not open e-mail or attachments from unknown sources. Many viruses arrive as executable files that are harmless UNTIL you start running them.
Remember, the success of phishing lies in the ability to make the e-mail or website look legitimate to fool the user. If phishing scams were easy to recognize, people would not fall victim to them.
Don't be fooled - Protect your information! Do not share your password!