We have all heard a great deal about identity theft this past year. Identity thieves and other criminals often use "phishing" scams, one of the fastest growing internet crimes, to steal personal information from a vast number of people. Once the thieves have your personal, sensitive or financial data, they may:

• Create financial havoc for you by
  1. opening credit lines
  2. getting loans
  3. declaring bankruptcy using your name.
• Buy "big-ticket" items like computers that they can easily sell.
• Embroil you in legal problems by giving your name to the police during an arrest.
• Sell your information to other thieves or even organized crime for further exploitation.

What is "Phishing"?
Phishing attacks use 'spoofed' e-mails and fraudulent websites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, social security numbers, [and other sensitive information]. By hijacking the trusted brands of well-known banks, online retailers, and credit card companies, phishers are able to convince up to 5% of recipients to respond to them," according to the Anti-Phishing Working Group. Phishing scams have also targeted Universities, for example by spoofing pages from a Bursar or Registrar office.

Why are phishing scams so popular?
Phishing attacks are very effective because they are a form of "social engineering." Social engineering takes advantage of the interface between people and technology. People often trust information they receive via e-mail or from a website. However, it is simple for scammers to disguise (aka spoof) the origin of their e-mail or the location of their websites. These are done through spoofed e-mail , URL redirection , and browser hijacks, such as injection attacks.

To complicate matters, it's not uncommon for businesses or institutions to ask for private or protected information in an e-mail or on a website. Even when an institution has a policy against such queries, employees may forget and ask for it anyway.

Everyone is potentially a target for phishing attacks. Recently, there have been localized attacks against such institutions as TCF Bank, University of Minnesota Federal Credit Union and Wells Fargo. There have also been customized attacks against universities, such as Penn State.

How do I spot a phishing attack?
Phishing web sites often closely resemble legitimate websites, even to the point of using the graphics and links straight off of the legitimate website. While phishing tricks are constantly evolving, one common trick is to have a login screen in a pop-up window, which allows them to copy the legitimate site exactly.

E-mail from phishers typically include upsetting or exciting (but false) statements in their e-mails to get people to react immediately. They also often ask for information such as usernames, passwords, credit card numbers, social security numbers, and other sensitive information. Phisher e-mails are typically NOT personalized, while valid messages from your bank or e-commerce company generally are.

For examples of phishing attacks, visit http://phishtank.internetdefence.net/.

What should I do if I am targeted by a phishing attack?
If you receive an e-mail you suspect is a phishing scheme, confirm through other means that the e-mail or the website it directs you to, is legitimate. This may mean that you need to contact a department within the University, or the Customer Service division of a bank.

For central University functions such as registration, bursar, or admissions, the familiar U of M login page should appear for any real U of M pages that ask for personal information. If in doubt, remember that most functions are available by going to the OneStop web page by typing http://www.onestop.umn.edu directly into your web browser. Follow the links there rather than the ones in the e-mail.

Recommended steps to thwart phishing attacks:

1. Type in to your web browser the main site mentioned in the e-mail. Examples:
   • http://www.wellsfargo.com
   • http://www.ebay.com
   • http://www.tcfbank.com
   • http://www.paypal.com
   • http://www.umfcu.net
2. Check to see if the site has an announcement about phishing attacks targeting it. Examples:
   • http://www.wellsfargo.com/privacy_security/fraud_prevention/ (found under " Fraud Prevention Guide")
   • http://pages.ebay.com/securitycenter/stop_spoof_websites.html (found under "Security Center -> "Stopping spoof e-mails and Web sites")
   • http://www.tcfbank.com/Security/security_email_fraud.jsp (found under "Protect Yourself From Online and Email Fraud")
   • http://www.paypal.com/cgi-bin/webscr?cmd=_security-center-outside (found under "Security Center.")
3. Check to see if the privacy policy of the website has a policy about collecting private data.
4. Contact the sending individual or unit through other means to confirm the authenticity of the e-mail:
   • Find the e-mail address of the unit from a webpage, and type it in to your e-mail client. Ask about the e-mail/site.
   • Call the unit, and ask about the e-mail/site.
5. If you determine that a website is legitimate, make sure it encrypts your data by using SSL. When SSL is in use, a lock icon will appear somewhere on your browser. However, even SSL can be spoofed, by using incorrect certificates. If you get a dialog box asking to install a certificate, confirm that the certificate is signed by a trusted source, such as Thawte or Verisign. If it is not, or if it is self-signed, contact the site owner through other means, like a phone call.

How do I report Phishing scams?
Please report phishing scams to the US-CERT, at www.us-cert.gov/nav/report_phishing.html. The US-CERT is collecting phishing e-mail messages and Web site locations so that they can help people avoid becoming victims of phishing scams.

If you suspect fraud, contact the Federal Trade Commission, at www.ftc.gov/bcp/edu/microsites/idtheft/ and the FBI's Internet Crime Complaint Center, at www.ic3.gov

If you see a phishing attack that specifically targets the University of Minnesota, please contact OIT Security and Assurance at abuse@umn.edu. Please don't report phishing attacks aimed at your bank or E-Bay (etc.) to abuse@umn.edu, report them to the US-CERT. See the paragraph above.

What to do if you have fallen victim to a Phishing scam
If you think you have fallen victim to a phishing scam, there is excellent advice on what to do at http://www.antiphishing.org/consumer_recs2.html.

Resources & Links:

• How Not to Get Hooked by Phishing - FTC
• OUCH - SANS Monthly Report on Identity Theft & Attacks on Computer Users
• Recent Phishing Attacks at the University
• E-mail Warnings to University Community
  • February 2008
  • November 2006
  • December 2004
• Anti-Phishing Working Group
• Spoofed/Forged E-mail- CERT
• E-mail Spoofing
• URL Redirection
• Browser Hijacks
• Phishing IQ Test
• Internet Defence Phishtank