What is it?
- What are some examples of phishing?
- How to Recognize Scams
- How did they get my email address?
- What's the big deal if I give them my username (NetID) and password?
- What do I do if I receive a suspicious email?
- What if I already provided my personal information?
- What is OIT doing about these scams?
- Where can I go for more information?
- What are the consequences of falling for a phishing scam?
What should I do if my account has been compromised?
Phishing is the use of email and fraudulent web sites to trick people into disclosing personal financial or identity information, such as credit card or Social Security numbers, user names (e.g., NetIDs), passwords and addresses. Although most "phishes" come as email, phishing scams can also come in the form of text messages and phone calls. It's called "phishing" because the criminals are broadcasting phoney emails to large numbers of addresses, and they're hoping the recipients will "take the bait." The emails will either try to entice you with promises of great deals, or scare you into providing the information.
Phony emails are sent from addresses across the Internet and appear to be from reputable organizations, but are not. The emails are actually from criminals who are attempting to lure you to provide your personal information. Often both the emails and the web pages they direct you to look just like you would expect to see from that organization, since the logos and formats have been copied. The message uses social engineering tactics that might indicate there is a problem with your account, and urges you to respond immediately by clicking a web link to "verify" or "update" your account information.
It's important to note, that the company that is being spoofed has nothing to do with the scam. Their name is just being used to trick you into "takiing the bait."
If you receive email soliciting confidential information such as your password, Social Security Number, credit card number or other sensitive information, with instructions to send it via email or click on a link, this may be a scam. Email messages travel over the Internet in an insecure manner, and you should never send sensitive information in an email. Notre Dame will NEVER request this information from you via e-mail. You can see some recent examples of phishing messages that we know were received by ND accounts at oit.nd.edu/phish-bowl.
Scam tactics are increasingly sophisticated and change rapidly. Even if a request looks genuine, be skeptical and look for one or more of these warning flags:
- The message is unsolicited and asks you to update, confirm or reveal personal identity information (e.g., full SSN, account numbers, NetID, passwords, protected health information).
- The message creates a sense of urgency.
- The message may have an unusual "From" address or an unusual "Reply-To" address instead of a recognizable "@nd.edu" style address.
- The message indicates that your ND email account has or is about to exceed your storage quota. (ND Google quota is unlimited.)
- The (malicious) web site URL doesn’t match the name of the institution that it allegedly represents.
- The web site doesn’t have an "s" after "http" (for example, https://) indicating it is not a secure site.
- The link in the pop-up doesn’t match the printed text.
- The message is not personalized. Valid messages from banks and other legitimate sources usually refer to you by name.
- There are grammar or spelling errors.
Schools, government agencies and some businesses and associations post staff, student and other email addresses on the Internet. Sometimes people use their email addresses when posting to web pages, blogs or online forums. Sometimes people click on the "unsubscribe" links in spam email, thus providing the phisher with a valuable acknowledgement that your email address is correct!
To see where the phishers may have obtained your email address, go to google.com, and in the search field, enter the following. Be sure to include the quotation marks and ampersand (&) to increase the accuracy of your search. Substitute your own information for the placeholders in the search strings.
"your_last_name" & "@the email domain name where you received the phishing email.<edu><com><org><gov>"
An example would be:
"doe" & "@nd.edu"
Any listings of your email address that appear are a potential source used by phishers and spammers to get your email address.
In the case of banking the results are obvious: the scammer now has access to your money. However in a university what they gain access to is a bit different and could cause damage to both yourself and others. They could potentially gain further information about you and your friends/coworkers that they could use to steal more identities. They gain access to your email, allowing them to read and send messages on your behalf, including high quantities of spam. They will have access to ND services that you are authorized to use, and could do things like change your insurance beneficiaries, emergency contact information, your course selections, etc. They could also lock you out of your account by changing your password.
Often, once a hacker has your NetID and password they will use YOUR email account to send huge volumes of spam. This could result in ND email being blocked by some sites, preventing legitimate email from being delivered for multiple days. If the OIT receives a report that your account has been compromised in this manner, we will block all access (including your own) to your account, and you may be required to visit the OIT Help Desk to request your access to be restored.
If the email appears to be from an organization with which you do not currently do business, discard it. You can also click the Report Spam button within the Gmail interface to train Google that you don't want to see these messages in the future.
If it appears to be from an organization such as your financial institution, contact that organization for instructions. It is important that you not use the phone numbers, or web or email addresses included in the suspicious email, as they may not be legitimate, but could connect you with the criminals. Use officially published addresses and phone number from the institution where you do business.
If you believe the spam is coming from an nd.edu account, check the ND Phish Bowl to see if we are already aware of it. If you find a similar message there, the message you received is a phishing scam and you should simply delete it. If the one you have is not listed there you may forward spam (with full email headers) to email@example.com so we can review it and follow-up. If we confirm the email is spam and was sent from an nd.edu account we will take action to prevent further messages from being delivered, and assist the account owner to prevent a re-occurence.
Phishing emails can be forwarded to firstname.lastname@example.org.
If you provided debit or credit account information, contact your financial institution immediately. If you provided your username and or password, contact the institution or organization that the account is associated with and they can assist you in resecuring your account. You should also review the information and instructions about Identity Theft.
With each new email scam that we observe, the OIT's system administrators analyze the message and make configuration changes to attempt to block future messages, while being careful NOT to block legitimate email. Unfortunately, it is impossible to predict exactly what the next scam will look like or where it will come from, so we are uable to stop some of these messages from getting through to your mailbox. When they do, use the delete key.
If you have followed the link on a suspicious email or have noticed unusual activity relating to your account, you may have been compromised. If this is the case, you should take the following steps in order to protect yourself:
- Reset your password. You can reset your password at password.nd.edu – You may want to do this from a computer you know is secure, so that if your machine itself is infected, your password will not become compromised.
- Run a virus and malware scan – Even if you believe that only your email was compromised it never hurts to run a virus and malware scan to ensure that your machine is clear of infections.
- If you believe that your machine was compromised or if your virus and/or malware scans turned up an infection, you should have it looked by an IT specialist. If it is campus owned, either contact your local IT representative or contact the Help Desk so that one can be dispatched to you. If it is a personal machine, it can either go to the service center located in the ITC, or a local service center in your area.
Once you have completed these steps, please contact the Help Desk for assistance in checking your account for any malicious modifications.