IU experts share how to protect yourself, colleagues from email phishing scams
Jan. 14, 2015
We all know what phishing is, right? It’s when scammers use the Internet to send spam and increasingly sophisticated messages to lure folks like us into providing passphrases, and personal or financial information. While many people feel confident they can identify these scams, university IT officials say the phishing efforts aimed at IU employees and students continue to grow.
“As scammers get more sophisticated in their methods, more users respond to it,” said Tim Goth, incident response manager for the University Information Policy Office, which is part of Public Safety and Institutional Assurance, which covers all campuses.
In 2014, 906 phishing messages were reported to the Policy Office. Goth said it takes just one person to bite -- to click on the link or to provide their credentials -- for the scammers to make off with important network data that could be used in various ways, such as harvesting the global address book for more email addresses, sending more spam/phishing messages, accessing subscription library journals, or gaining access to the university network through a VPN connection. Email addresses, he says, can be sold or used to perpetrate more phishing. Phishing can also lead to identity theft and unauthorized access to critical information that could ultimately hurt IU’s reputation and impede email delivery.
“Approximately 65,000 emails can be sent in one hour if a phishing attempt is successful,” Goth said. “It creates a hole you can drive a truck through. Once a phisher has your passphrase, everything you can see, they can see.”
So, while phishing efforts are becoming more sophisticated, the advice to employees and students remains the same: nobody from IU will ask for passphrases; don’t reply to email or pop-up messages that ask for passphrases, personal or financial information; and do not click on links in such messages.
IU has methods at the network level to filter spam but must balance blocking spam with blocking legitimate emails. The University Information Policy Office provides tips and suggestions for how employees can protect their own information as well as their colleagues’ from phishing.
The link includes contacts for reporting phishing. At IU, the sooner phishing efforts can be investigated the better. IU can investigate phishing attempts sent by an IU user or device or attempts that ask for IU credentials. Reports should be sent to firstname.lastname@example.org. The above link includes contacts for non-IU efforts.
“If every user who received a phishing notice sent it to us, I’d be completely happy,” Goth said.