Spam, Phishing, and Identity Theft

There is a constant stream of phishing scams sent to the Purchase College community.  The ones that ask for your User-ID and Password are fairly obvious fakes, and most people recognize those. Other spammers are sneakier and harder to spot, and they depend on our inclination to follow specific instructions or harmless looking links that are sent to us. 

If you respond to a phishing email and provide them with your Purchase College credentials - either by email reply or by clicking a link embedded in their email – then, even in the best case, your account is likely going to be used to spew even more spam. This often damages your online reputation – they may send spam to everyone in your contacts – and it also damages the College’s online reputation. When your compromised account spews out hundreds of messages per minute, a monitoring script kicks in and suspends your account. Other email servers take note of this activity  too – and often mark the Purchaser domino as untrustworthy, or blacklist our domain, rejecting all mail sent from – hampering our ability to communicate to the world.

If you give up your credentials you will be inconvenienced when your account is suspended, and you may miss important messages; CTS is inconvenienced as we spend time contacting other  domains and ask to be removed from their blacklists; and the entire College is inconvenienced as our messages may not always get to their intended recipient.

Giving up your credentials can be even worse if it leads to identity theft. While most phishing is automated and used to spawn more spam, your credentials are now in the hands of unscrupulous individuals somewhere in the world. Those individuals can then access your account and look through your files, records and mail for the kinds of personal private and sensitive information they need to conduct financial transactions in your name. They can file a change of address, order a slew of electronics, cancel the orders, and direct the refunds to themselves, take out new cards in your name, and conduct an almost infinite variety of scams  before you are even aware that anything is wrong.   

To protect yourself:

Purchase College Campus Technology Services will never ask you to confirm/validate  your User-ID and password via email. You will be prompted to enter your Purchase College credentials when you log into a Purchase College system, but those will always be on a  website - or on a federated website.

Be suspicious, and take the time to look carefully at anything that seems unusual, odd, or out of the ordinary. Do not use the links in messages you receive – go directly to vendor websites or accounts by typing their addresses in yourself.

Telltale signs that a particular message is a scam:

  • Messages that ask you to do something – respond with information, open the attachment, follow a link to provide more information, re-validate your account or mailbox, etc.
  • Messages from an anonymous source like “System Administrator” - or from a source outside of
  • Poorly written, misspellings or poor grammar (“Your Mailbox Has Exceeded It Storage Limit”)
  • CTS maintains the college’s servers and workstations, and while there may be periodic service interruptions, we do not ask the campus community to patch their own machines or assist us in maintaining our systems.
  • Read the URL that appears in the bottom of your browser window when you hover your mouse over a link. Watch out for links to foreign countries (i.e. domain names that end in “.ru” or “.cz”) slightly misspelled versions of major brands (i.e. “”) or “exe” files (at the very end of the URL). 

Look at the originator’s address – spammers sometimes attempt to disguise by inserting “…” in front of the actual domain name  “” 

Look at URLs before you click on them:

Phish are easier to spot if you know a little about URLs.  URLs have three components, separated by dots - “Host.Domain.Type” – so “” is the “www” host (or specific server name) at the domain “purchase” which is an “edu”(cation) domain.  The host name (specific server name) is considered to be anything to the left of the second period ( the whatserver part of “”) and the hostname can be qualified by additional periods – for example  “” (blogs is the server name, independent is one of the blogs).

Spammers count on us reading from left to right , but with URL’s you really should read from right to left. For example, may start out sounding ok, but you end up at the domain – the last two sections on the right are the domain this destination is in, everything to the left of those last two sections is just a server name, and far less meaningful. Spammers are counting on us not reading the URLs – and unfortunately that is often a safe assumption.

What about those cute TinyURLs?

Those are gobbledygook redirects that aren’t any easier to remember or pronounce than the longer ones they replace – they are just shorter – and maybe cuter: (can you tell where that takes you? Is that in Russia? China? Or maybe Icantstanditstan?) 
Since there is no way of knowing where you are being redirected to, Purchase College does not use tiny URL links in official communications, nor do most other legitimate enterprises.

Can you spot a phish?

Think you can spot a phish when you see one? Try taking the phishing test and see how well you do (I scored 7 out of 10 – can you do better?) After taking the test, make sure you look at the “Why” links for the ones you missed.

Circulating now:
Below is an example of a phishing scam circulated on campus recently that exhibits some of the telltale signs. Why send it at the beginning of September? New faculty and new students arrive, and everyone is busy and rushing to get things done. The end of the semester is another busy time when people may let their guard down a bit because they are so busy, and cannot afford to have their account access interrupted.

+++++++++++++<Begin Bogus Phishing Message>+++++++++++++++++++++++++

From: Hirsch, Faye
Sent: Monday, September 03, 2012 8:54 PM

Your Mailbox Has Exceeded It Storage Limit As Set By Your Administrator, And You Will Not Be Able To Receive New Mails Until You Re-Validate It.
To Re-Validate  - >  Follow Link:

+++++++++++++<End Bogus Phishing Message>+++++++++++++++++++++++++

URL’s are easy to disguise – while the URL looks like it will take you to – that is probably a phishing site. If you mouse over the URL you can see where it REALLY takes you (I replaced the spammer’s site with a URL to a fictitious It could just as easily be an innocent-looking URL that takes you to a bad place. Mouse over and check your URLs before you click them. Sometimes a phish message will have legitimate links too, and one bad one, so you have to check them all.

Harder phish:

Not all phishermen suffer from poor grammar, and some of them actually know what they are doing. They might even be “spear-phishing” – specifically targeting you because of some known affiliation.

I got two of the message shown below last week on consecutive days, and while it looks somewhat legitimate at first glance the immediate red flag was the instruction to open an attachment (3 times!) I do have an account at Wells Fargo, and the phisherman is counting on me being alarmed enough at an attempt to compromise my bank account that I might lower my guard enough to be tricked into opening a malicious attachment (which probably tries to steal my banking ID and password!) The first day I just deleted it. The second day I called the bank on the phone to verify that they were fake (and they were) and forwarded the messages to their “reportphishing” address. I did not open the attachment - just opening them can cause infection.

Looks reasonably legitimate? Yes. Preys on fear of identity theft? Yes. Hard to spot? Not really.

+++++++++++++<BeginBogus Phishing Message>+++++++++++++++++++++++++

From: Wells Fargo Support []
Sent: Monday, August 27, 2012 10:34 PM
Subject:  Wells Fargo Official Notification
Importance: Low

    Security Notice

Wells Fargo ATM card: Suspended
Internet account access: Suspended

This security notice is to advise you that a unsuccessful Password Reset was recently attempted on your Wells Fargo Internet Banking account.

Please download the file (Attached on this email, please check the attachment at the end of mail) and open it to reactivate your account, if you fail to do that you account will be closed.

Note: Open the file that is attached at the end of this mail.
Thank you for using Wells Fargo Internet Banking .

1999 - 2012 Wells Fargo. All rights reserved. NMLSR ID 399801.

+++++++++++++<End Bogus Phishing Message>+++++++++++++++++++++++++

Bottom Line: Please exercise caution in responding to email requests. If you have any doubts, call and ask.

Facts About Spam

The number of unsolicited e-mail messages - commonly referred to as "spam" - has grown dramatically over the last few years.  According to some estimates, 85% of all e-mail messages are spam.  Unfortunately, regulations and technical counter-measures have yet to catch up to the use of e-mail for criminal and commercial purposes, and we are all being bombarded with free mortgage quotes, pills, free Lotto prizes, gibberish subject lines, and the lost treasures of dead dictators. 

Since e-mail has become commonplace, marketers and criminals alike have realized that they can reach you via e-mail at far less expense than regular mail.  Whereas abuse of regular mail is prohibited by law, the absence of any regulatory laws governing e-mail use has also lowered the bar on the content of advertisement - messages that you wouldn’t normally see in an envelope sent to your home now show up in your e-mail, including offensive materials.

How did these people sending the spam - these spammers - find you?  For the most part, an e-mail address first ends up on a spammer’s list because someone manually typed your e-mail address into a Web page.  You may have done this yourself by subscribing to an e-mail list or “listserv”, or by submitting your e-mail address when making a purchase at an Internet store (e.g. to obtain an e-mailed receipt), or even by subscribing to a general Internet service that “requires” an e-mail address - ostensibly so that it can e-mail you your password or future information such as weather or Internet auction information.  Your e-mail address could also end up on a spam list if it is being published on a Web site.  The spammers run computer programs that scavenge e-mail addresses from sites such as listserv archives, or Web directories.

Once you are on a Spammer’s list, you can never get off.  Spam e-mail lists are constantly bought, sold, traded, copied, compiled, and redistributed.  In a matter of time you aren’t on just one spammer’s list - you are on hundreds of lists, and are receiving dozens of spam messages a day.  Replying to a message, or following the links in the e-mail that supposedly allow you to “Unsubscribe” or “Opt - Out” may only make matters worse.  These actions only notify the spammer that you are actually reading the e-mail they send to you. 

In addition to the mass - marketing application of spam e-mail address lists, many criminals obtain and use spam e-mail lists in order to defraud.  E-mail scams typically promise something - usually large sums of money - in return for the recipient’s involvement, assistance, or release of personal information.  These scams are often long and involved, and may even transcend the e-mail medium.  Many e-mail scams ask the recipient to forward personal data, bank account numbers, and other information.  Criminal Masterminds use the information in various ways to either steal directly from the individual, or to commit identity theft.  According to the Federal Trade Commission tens of millions of  Americans have been victims of identity theft.  

  The Federal Trade Commission Web site offers more information on identity theft at and e-mail scams at

The Campus Community is reminded that one should never respond to any type of communication with personal or professional information unless they are one hundred percent sure that the request for information is legitimate.  Remember: if an offer is too good to be true, then it probably is. 

E-mail users are further reminded that e-mail is not a secure medium, and any transmission of personal information such as Social Security number, bank account, or credit card number may be intercepted electronically.  Personal and financial information should only be transmitted to a legitimate business or institution on the Web via a direct secure connection, usually evident by the presence of a small locked padlock icon on the bottom right of the Web browser window, when viewing the business’ Web site.  Personal and financial information should never be transmitted via e-mail, even if you have a secure connection to your e-mail service.

Please keep in mind that the most effective method to fight off spam and e-mail scams is for you to observe the sender and subject of each message you receive before clicking on the message.  Once you have identified a message to be spam, you should immediately delete the message.  Do not view or preview a message unless you have determined it is not spam.  Viewing a spam message in any way often triggers a visit to the spammers Web site - the spammer identifies your address as a valid e-mail address, and also may get paid for drawing visitors to the site as a result.