SLAC Today logo

Phishing: Don't Take the Bait

(Image - Phishing: Don't Take the Bait)Internet criminals are using a technique called "phishing" to obtain personal information from unsuspecting Internet users. Phishing typically involves sending an e-mail seeking personal information while falsely claiming to come from a legitimate source. Users are often prompted to update or validate passwords, credit card details, Social Security numbers, PIN numbers, or other sensitive information.

Spoofed messages claiming to be from prominent government and banking entities have included threats of legal action and jail for not responding. Some SLAC users have even received phishing e-mails disguised as death threats.

How to protect yourself:

1. Caveat emptor ("buyer beware") should be watch words for use of the Internet.
- Never give out any personal or financial information unless you are certain about the authenticity and online security policy of the organization with which you are dealing.
- Use your "known good" URLs for the banks, shopping sites, payment sites, etc.
- Conduct transactions securely. Ensure that "https" appears before the URL, rather than "http."

2. If you receive a request and are unsure of itís legitimacy, contact the organization directly by the phone number on the back of your credit card or from a monthly statement. Do not use any phone numbers listed in the e-mail.

3. Be careful about which e-mails and attachments you open or forward.
- If you donít recognize the sender, delete it.
- If you do recognize the sender, don't automatically assume that it is legitimate. "From" addresses on e-mails are easy to forge. If you get a bounce back (undeliverable message notice) for someone you know you didnít send something to, delete it.
- The safest way to send or read e-mail is Plain Text. We recommend everyone make the changes necessary to only read e-mail in Plain Text format. If you are certain of a message's legitimacy and want to view messages in HTML, follow the instructions for enabling HTML.
- Don't click on links in e-mail. Pull up a new browser and manually type the website address from a recent bill or from prior legitimate communications from the organization or company.

4. Responding to e-mails or providing your e-mail address on registration forms can put you on spam lists and make you a potential target. Be especially careful using your slac.stanford.edu address. You can look up suspected hoax e-mails at snopes.com or look for more information on the computer security webpage, Resources for Investigating Hoaxes.

5. Of the over half a million e-mails received daily, our filters catch/block about 91% of mail sent by known spammers (black listed) and questionable sources; however, there is no absolute solution. SCCS is not able to notify you of all the scams that get through, so take steps to protect yourself.

For more information about how to protect your personal information, please go to the Federal Trade Commission Consumer Alert page on "How Not to Get Hooked by a 'Phishing' Scam." Also visit SLAC Computer Security webpage or contact us if you have any further questions or concerns.

Computer Security would like to send a special thanks to Lisa Dunn and Herbert Axelrod for contacting us regarding a suspicious e-mail sent by the DOE HSS penetration testers during our Site Assistance Review. Their quick recognition allowed us to block the source and stop the spread. This showed the HSS team that SLAC users are aware and vigilant. Thanks again.

Marilyn Cariola, SLAC Today, April 11, 2008