Phishing: Don't Take the Bait

Internet criminals are using a technique called "phishing" to obtain personal information from unsuspecting Internet users. Phishing typically involves sending an e-mail seeking personal information while falsely claiming to come from a legitimate source. Users are often prompted to update or validate passwords, credit card details, Social Security numbers, PIN numbers, or other sensitive information.

Spoofed messages claiming to be from prominent government and banking entities have included threats of legal action and jail for not responding. Some SLAC users have even received phishing e-mails disguised as death threats.

How to protect yourself:

1. Caveat emptor ("buyer beware") should be watch words for use of the Internet.
- Never give out any personal or financial information unless you are certain about the authenticity and online security policy of the organization with which you are dealing.
- Use your "known good" URLs for the banks, shopping sites, payment sites, etc.
- Conduct transactions securely. Ensure that "https" appears before the URL, rather than "http."

2. If you receive a request and are unsure of it’s legitimacy, contact the organization directly by the phone number on the back of your credit card or from a monthly statement. Do not use any phone numbers listed in the e-mail.

3. Be careful about which e-mails and attachments you open or forward.
- If you don’t recognize the sender, delete it.
- If you do recognize the sender, don't automatically assume that it is legitimate. "From" addresses on e-mails are easy to forge. If you get a bounce back (undeliverable message notice) for someone you know you didn’t send something to, delete it.
- The safest way to send or read e-mail is Plain Text. We recommend everyone make the changes necessary to only read e-mail in Plain Text format. If you are certain of a message's legitimacy and want to view messages in HTML, follow the instructions for enabling HTML.
- Don't click on links in e-mail. Pull up a new browser and manually type the website address from a recent bill or from prior legitimate communications from the organization or company.

4. Responding to e-mails or providing your e-mail address on registration forms can put you on spam lists and make you a potential target. Be especially careful using your slac.stanford.edu address. You can look up suspected hoax e-mails at snopes.com or look for more information on the computer security webpage, Resources for Investigating Hoaxes.

5. Of the over half a million e-mails received daily, our filters catch/block about 91% of mail sent by known spammers (black listed) and questionable sources; however, there is no absolute solution. SCCS is not able to notify you of all the scams that get through, so take steps to protect yourself.

For more information about how to protect your personal information, please go to the Federal Trade Commission Consumer Alert page on "How Not to Get Hooked by a 'Phishing' Scam." Also visit SLAC Computer Security webpage or contact us if you have any further questions or concerns.

Computer Security would like to send a special thanks to Lisa Dunn and Herbert Axelrod for contacting us regarding a suspicious e-mail sent by the DOE HSS penetration testers during our Site Assistance Review. Their quick recognition allowed us to block the source and stop the spread. This showed the HSS team that SLAC users are aware and vigilant. Thanks again.

—Marilyn Cariola, SLAC Today, April 11, 2008

Handy Links

SLAC News Center

SLAC Today

SLAC News

Lab News

SLAC Links

Stanford

Around the Bay

Phishing: Don't Take the Bait



Handy Links SLAC News Center News Center home page SLAC Today SLAC Today Subscribe Archives: Feb 2006-May 20, 2011 Archives: May 23, 2011 and later Submit Feedback or Story Ideas About SLAC Today SLAC News SSRL Headlines symmetry magazine TIP Archives Lab News Interactions Lightsources.org ILC NewsLine Int'l Science Grid This Week Fermilab Today Berkeley Lab News @brookhaven TODAY DOE Pulse CERN Courier DESY inForm US / LHC SLAC Links Emergency Safety Policy Repository Site Entry Form Site Maps M & O Review Computing Status & Calendar SLAC Colloquium SLACspeak SLACspace SLAC Logo Café Menu Flea Market Web E-mail Marguerite Shuttle Discount Commuter Passes Award Reporting Form SPIRES SciDoc Activity Groups Library Stanford Stanford University Stanford Report Stanford Events Life on Campus Around the Bay Bay Area Traffic Bay Area Weather Caltrain BART	Phishing: Don't Take the Bait Internet criminals are using a technique called "phishing" to obtain personal information from unsuspecting Internet users. Phishing typically involves sending an e-mail seeking personal information while falsely claiming to come from a legitimate source. Users are often prompted to update or validate passwords, credit card details, Social Security numbers, PIN numbers, or other sensitive information. Spoofed messages claiming to be from prominent government and banking entities have included threats of legal action and jail for not responding. Some SLAC users have even received phishing e-mails disguised as death threats. How to protect yourself: 1. Caveat emptor ("buyer beware") should be watch words for use of the Internet. - Never give out any personal or financial information unless you are certain about the authenticity and online security policy of the organization with which you are dealing. - Use your "known good" URLs for the banks, shopping sites, payment sites, etc. - Conduct transactions securely. Ensure that "https" appears before the URL, rather than "http." 2. If you receive a request and are unsure of it’s legitimacy, contact the organization directly by the phone number on the back of your credit card or from a monthly statement. Do not use any phone numbers listed in the e-mail. 3. Be careful about which e-mails and attachments you open or forward. - If you don’t recognize the sender, delete it. - If you do recognize the sender, don't automatically assume that it is legitimate. "From" addresses on e-mails are easy to forge. If you get a bounce back (undeliverable message notice) for someone you know you didn’t send something to, delete it. - The safest way to send or read e-mail is Plain Text. We recommend everyone make the changes necessary to only read e-mail in Plain Text format. If you are certain of a message's legitimacy and want to view messages in HTML, follow the instructions for enabling HTML. - Don't click on links in e-mail. Pull up a new browser and manually type the website address from a recent bill or from prior legitimate communications from the organization or company. 4. Responding to e-mails or providing your e-mail address on registration forms can put you on spam lists and make you a potential target. Be especially careful using your slac.stanford.edu address. You can look up suspected hoax e-mails at snopes.com or look for more information on the computer security webpage, Resources for Investigating Hoaxes. 5. Of the over half a million e-mails received daily, our filters catch/block about 91% of mail sent by known spammers (black listed) and questionable sources; however, there is no absolute solution. SCCS is not able to notify you of all the scams that get through, so take steps to protect yourself. For more information about how to protect your personal information, please go to the Federal Trade Commission Consumer Alert page on "How Not to Get Hooked by a 'Phishing' Scam." Also visit SLAC Computer Security webpage or contact us if you have any further questions or concerns. Computer Security would like to send a special thanks to Lisa Dunn and Herbert Axelrod for contacting us regarding a suspicious e-mail sent by the DOE HSS penetration testers during our Site Assistance Review. Their quick recognition allowed us to block the source and stop the spread. This showed the HSS team that SLAC users are aware and vigilant. Thanks again. —Marilyn Cariola, SLAC Today, April 11, 2008