Spam, Phishing, and Identity Theft
There is a constant stream of phishing scams sent to the Purchase College community. The ones that ask for your User-ID and Password are fairly obvious fakes, and most people recognize those. Other spammers are sneakier and harder to spot, and they depend on our inclination to follow specific instructions or harmless looking links that are sent to us.
If you respond to a phishing email and provide them with your Purchase College credentials - either by email reply or by clicking a link embedded in their email – then, even in the best case, your account is likely going to be used to spew even more spam. This often damages your online reputation – they may send spam to everyone in your contacts – and it also damages the College’s online reputation. When your compromised account spews out hundreds of messages per minute, a monitoring script kicks in and suspends your account. Other email servers take note of this activity too – and often mark the Purchaser domino as untrustworthy, or blacklist our domain, rejecting all mail sent from purchase.edu – hampering our ability to communicate to the world.
If you give up your credentials you will be inconvenienced when your account is suspended, and you may miss important messages; CTS is inconvenienced as we spend time contacting other domains and ask to be removed from their blacklists; and the entire College is inconvenienced as our messages may not always get to their intended recipient.
Giving up your credentials can be even worse if it leads to identity theft. While most phishing is automated and used to spawn more spam, your credentials are now in the hands of unscrupulous individuals somewhere in the world. Those individuals can then access your account and look through your files, records and mail for the kinds of personal private and sensitive information they need to conduct financial transactions in your name. They can file a change of address, order a slew of electronics, cancel the orders, and direct the refunds to themselves, take out new cards in your name, and conduct an almost infinite variety of scams before you are even aware that anything is wrong.
To protect yourself:
Purchase College Campus Technology Services will never ask you to confirm/validate your User-ID and password via email. You will be prompted to enter your Purchase College credentials when you log into a Purchase College system, but those will always be on a xyz.purchase.edu website - or on a federated xyz.suny.edu website.
Be suspicious, and take the time to look carefully at anything that seems unusual, odd, or out of the ordinary. Do not use the links in messages you receive – go directly to vendor websites or accounts by typing their addresses in yourself.
Telltale signs that a particular message is a scam:
Look at the originator’s address – spammers sometimes attempt to disguise by inserting “updates.purcahse.edu…” in front of the actual domain name “secure.1-central.net.”
Look at URLs before you click on them:
Phish are easier to spot if you know a little about URLs. URLs have three components, separated by dots - “Host.Domain.Type” – so “www.purchase.edu” is the “www” host (or specific server name) at the domain “purchase” which is an “edu”(cation) domain. The host name (specific server name) is considered to be anything to the left of the second period ( the whatserver part of “whatserver.purchase.edu”) and the hostname can be qualified by additional periods – for example “independent.blogs.purchase.edu” (blogs is the server name, independent is one of the blogs).
Spammers count on us reading from left to right , but with URL’s you really should read from right to left. For example, www.purchase.edu.something.evile.phishermen.com may start out sounding ok, but you end up at the domain evile.phishermen.com – the last two sections on the right are the domain this destination is in, everything to the left of those last two sections is just a server name, and far less meaningful. Spammers are counting on us not reading the URLs – and unfortunately that is often a safe assumption.
What about those cute TinyURLs?
Those are gobbledygook redirects that aren’t any easier to remember or pronounce than the longer ones they replace – they are just shorter – and maybe cuter: http://tinyurl.com/a7su6 (can you tell where that takes you? Is that in Russia? China? Or maybe Icantstanditstan?)
Since there is no way of knowing where you are being redirected to, Purchase College does not use tiny URL links in official communications, nor do most other legitimate enterprises.
Can you spot a phish?
Think you can spot a phish when you see one? Try taking the phishing test and see how well you do (I scored 7 out of 10 – can you do better?) After taking the test, make sure you look at the “Why” links for the ones you missed.
Below is an example of a phishing scam circulated on campus recently that exhibits some of the telltale signs. Why send it at the beginning of September? New faculty and new students arrive, and everyone is busy and rushing to get things done. The end of the semester is another busy time when people may let their guard down a bit because they are so busy, and cannot afford to have their account access interrupted.
+++++++++++++<Begin Bogus Phishing Message>+++++++++++++++++++++++++
From: Hirsch, Faye
Sent: Monday, September 03, 2012 8:54 PM
Subject: EMAIL QUOTA ALERT
Your Mailbox Has Exceeded It Storage Limit As Set By Your Administrator, And You Will Not Be Able To Receive New Mails Until You Re-Validate It.
To Re-Validate - > Follow Link: http://domainupgradeac.iccx.com/outlook.html
+++++++++++++<End Bogus Phishing Message>+++++++++++++++++++++++++
URL’s are easy to disguise – while the URL looks like it will take you to domainupgradeac.ucoz.com – that is probably a phishing site. If you mouse over the URL you can see where it REALLY takes you (I replaced the spammer’s site with a URL to a fictitious derp.duh.com). It could just as easily be an innocent-looking URL that takes you to a bad place. Mouse over and check your URLs before you click them. Sometimes a phish message will have legitimate links too, and one bad one, so you have to check them all.
Not all phishermen suffer from poor grammar, and some of them actually know what they are doing. They might even be “spear-phishing” – specifically targeting you because of some known affiliation.
I got two of the message shown below last week on consecutive days, and while it looks somewhat legitimate at first glance the immediate red flag was the instruction to open an attachment (3 times!) I do have an account at Wells Fargo, and the phisherman is counting on me being alarmed enough at an attempt to compromise my bank account that I might lower my guard enough to be tricked into opening a malicious attachment (which probably tries to steal my banking ID and password!) The first day I just deleted it. The second day I called the bank on the phone to verify that they were fake (and they were) and forwarded the messages to their “reportphishing” address. I did not open the attachment - just opening them can cause infection.
Looks reasonably legitimate? Yes. Preys on fear of identity theft? Yes. Hard to spot? Not really.
+++++++++++++<BeginBogus Phishing Message>+++++++++++++++++++++++++
From: Wells Fargo Support [mailto:email@example.com]
Sent: Monday, August 27, 2012 10:34 PM
Subject: Wells Fargo Official Notification
+++++++++++++<End Bogus Phishing Message>+++++++++++++++++++++++++
Bottom Line: Please exercise caution in responding to email requests. If you have any doubts, call and ask.
The number of unsolicited e-mail messages - commonly referred to as "spam" - has grown dramatically over the last few years. According to some estimates, 85% of all e-mail messages are spam. Unfortunately, regulations and technical counter-measures have yet to catch up to the use of e-mail for criminal and commercial purposes, and we are all being bombarded with free mortgage quotes, pills, free Lotto prizes, gibberish subject lines, and the lost treasures of dead dictators.
Since e-mail has become commonplace, marketers and criminals alike have realized that they can reach you via e-mail at far less expense than regular mail. Whereas abuse of regular mail is prohibited by law, the absence of any regulatory laws governing e-mail use has also lowered the bar on the content of advertisement - messages that you wouldn’t normally see in an envelope sent to your home now show up in your e-mail, including offensive materials.
How did these people sending the spam - these spammers - find you? For the most part, an e-mail address first ends up on a spammer’s list because someone manually typed your e-mail address into a Web page. You may have done this yourself by subscribing to an e-mail list or “listserv”, or by submitting your e-mail address when making a purchase at an Internet store (e.g. to obtain an e-mailed receipt), or even by subscribing to a general Internet service that “requires” an e-mail address - ostensibly so that it can e-mail you your password or future information such as weather or Internet auction information. Your e-mail address could also end up on a spam list if it is being published on a Web site. The spammers run computer programs that scavenge e-mail addresses from sites such as listserv archives, or Web directories.
Once you are on a Spammer’s list, you can never get off. Spam e-mail lists are constantly bought, sold, traded, copied, compiled, and redistributed. In a matter of time you aren’t on just one spammer’s list - you are on hundreds of lists, and are receiving dozens of spam messages a day. Replying to a message, or following the links in the e-mail that supposedly allow you to “Unsubscribe” or “Opt - Out” may only make matters worse. These actions only notify the spammer that you are actually reading the e-mail they send to you.
In addition to the mass - marketing application of spam e-mail address lists, many criminals obtain and use spam e-mail lists in order to defraud. E-mail scams typically promise something - usually large sums of money - in return for the recipient’s involvement, assistance, or release of personal information. These scams are often long and involved, and may even transcend the e-mail medium. Many e-mail scams ask the recipient to forward personal data, bank account numbers, and other information. Criminal Masterminds use the information in various ways to either steal directly from the individual, or to commit identity theft. According to the Federal Trade Commission tens of millions of Americans have been victims of identity theft.
The Federal Trade Commission Web site offers more information on identity theft at http://www.consumer.gov/articles/1015-avoiding-identity-theft/ and e-mail scams at http://www.onguardonline.gov/topics/avoiding-scams.aspx
The Campus Community is reminded that one should never respond to any type of communication with personal or professional information unless they are one hundred percent sure that the request for information is legitimate. Remember: if an offer is too good to be true, then it probably is.
E-mail users are further reminded that e-mail is not a secure medium, and any transmission of personal information such as Social Security number, bank account, or credit card number may be intercepted electronically. Personal and financial information should only be transmitted to a legitimate business or institution on the Web via a direct secure connection, usually evident by the presence of a small locked padlock icon on the bottom right of the Web browser window, when viewing the business’ Web site. Personal and financial information should never be transmitted via e-mail, even if you have a secure connection to your e-mail service.
Please keep in mind that the most effective method to fight off spam and e-mail scams is for you to observe the sender and subject of each message you receive before clicking on the message. Once you have identified a message to be spam, you should immediately delete the message. Do not view or preview a message unless you have determined it is not spam. Viewing a spam message in any way often triggers a visit to the spammers Web site - the spammer identifies your address as a valid e-mail address, and also may get paid for drawing visitors to the site as a result.
New! Equipment Loans Page
Email Password Reset (Student)
Email Password Reset (Faculty/Staff)
February 5 through May 15:
Mon-Thur 8am-7:45pm, Fri 8am-4:45pm
When classes are not in session:
(basement of Social Sciences Bldg)
Tel (914) 251-6465