Scams phish for passwords
'Spear phishing' targets Webmail users, Outlook readers
Nov 25, 2008
By Sean O'Malley
E-mail scammers are becoming smarter in their attempts to fool computer users into revealing passwords, bank accounts and other personal information. The latest scam technique, known as "spear phishing," zeroes in on groups of users at individual institutions, mimicking familiar systems, login prompts and Web sites.
According to OIT security analyst Tom Conley, most spear phishing attempts at Ohio University are directed at users of the university's Webmail system, but any service that has an online presence is fair game. For example, OIT recently identified a scam targeted at Outlook readers. The e-mail message instructed recipients to visit a URL for the day's news stories. Individuals who did so were asked to enter their Oak IDs and passwords into a counterfeit Webmail login screen. OIT has blocked access to the offending site and has filed a phishing report with the United States Computer Emergency Readiness Team (US-CERT), a government/private-sector that coordinates defense against cyber attacks. Both actions are standard procedure for dealing with scams, Conley said.
Because scam messages do sometimes make it past the university's spam filters, Conley recommends that individuals keep a few basic rules in mind:
- Never reply to an e-mail that asks you to send personal information such as passwords or bank account numbers
- Be wary of an e-mailed Web link that asks you for your password, especially if that site normally does not require a password
- Do not open unsolicited attachments, even if they appear to come from a legitimate source
To report suspicious online activity, you can call the OIT Security Hotline at 740-566-SAFE or send e-mail to firstname.lastname@example.org.
E-mail scams at OHIO: http://www.ohio.edu/technology/news/2008/email_scams.cfm
US-CERT (following this link takes you outside Ohio University's Web site): http://www.us-cert.gov/
Published: Nov 25, 2008 11:26 AM