WHY PHISHING
IS A BIG DEAL

What happens when we fall prey to a phishing scam?

Among other things, someone who gains unauthorized access to your campus email account can send out a ton of spam so much so that Internet service providers, or ISPs, will block emails from the entire campus.

It happened this week to UC Davis, when Comcast blocked emails from UC Davis addresses.

ISPs have done it before blocked email from UC Davis, after students, staff or faculty unwittingly gave their login IDs and passphrases to thieves.

Officials believe the Comcast incident of Nov. 5 stemmed from a single compromised email account. The block lasted about two hours.

Thieves can also use your personal information to open credit card and bank accounts, change passphrases to lock you out of your accounts, and commit other forms of identity theft.

IET urges: "Think before you reply!" and save yourself and the university the time and expense of repairing the damage.

IF IN DOUBT

Faculty, staff and students with doubts about any message are urged to contact IT Express, ithelp@ucdavis.edu or (530) 754-HELP (4357), and should do so regardless of whether they intend to ask the help desk to put the message on the registry.

IET's Anti-Phishing Campaign website.

Do any of these messages look phishy to you?

1. An email from IT Express (ithelp@ucdavis.edu) that declares Action Required and says you must upgrade your password.

2. An email from "UC Davis Admin" saying your "UC Davis account has been affected by some DGTX virus and it is causing email conflict between some of our subscribers. You will have to click or copy the link to remove the threat now."

3. An email from the University of California asking you to click on a URL (Web address) to scan your mailbox, and gives a warning: Failure to upgrade your account will render your account from sending and receiving mails.

4. An ADP Immediate Notification email about Your Complete Yesterday Money Transfer. The message includes a Web link and this statement: Please dont reply to this message, automative notification system cannot accept incoming messages.

Phishing emails try to hook you into giving up sensitive information like login IDs, passwords and passphrases, bank and credit card numbers, and PINs.

That's what Examples 2, 3 and 4 are after, in classic phishing style. Of all four emails — all of them real — only Example 1 is legitimate.

But how can you be sure, especially considering the email is about your password?

In this case, the email has a recognizable sender (and address), so you could give IT Express a call. Or you could check to see if the email is on UC Davis Registry of Authentic Messages, a new tool from Information and Educational Technology.

The IT Express Computer Services Help Desk, in considering what to put on the registry, is not looking at every one of the million-plus emails that crisscross the campus every day. Instead, the help desk evaluates emails from three sources:

• Bulk mail — All emails going through IETs bulk mail system, which processes many of the campus's mass emails (more than 250 recipients).

• Individual senders — Before you send an email to multiple recipients, you are invited to submit it to the help desk for review (and possible placement on the registry) if you suspect your email may be mistaken for a phishing attempt.

• Recipients — If you received an email that you judged to be real, but you are concerned other people may mistake it for phishing, you are invited to forward the email to the help desk to let IT staff determine if the email should go on the registry.

Keeping information safe

We have had several requests for this service, especially from the campus technology community, said Robert Ono, the campuss information technology security coordinator. We offer it as one more tool that people can use to keep their personal accounts and information safe.

Ono said IET advises people to avoid sending bulk messages that contain phishing characteristics, if possible. Sometimes you can rewrite a message to make it less suspicious, he said. If you cannot do that, please use the registry.

Email scams are varied, according to IETs FAQ on security, but the most obvious characteristic of a phishing message is that it instructs you to provide sensitive information either by replying to the message, or by clicking on a link and entering the information on a Web page.

There is no legitimate reason for anyone to request a password-passphrase or other sensitive data via email, and you should never respond to any such message. UC Davis will never ask you to confirm your passphrase by email or by telephone, for that matter.

Other red flags can be seen in Examples 2, 3 and 4 above: They urge you to act quickly, seem threatening, or use poor grammar or misspelled words (such as automative for automatic). They might ask you to "confirm" your account information, or "alert" you to unexpected activity on a bank account.

Fraudulent emails often come at odd times (4:10 a.m. in the case of Example 2).

Phishing attempts also may require you to do something, or click on a URL that you do not recognize. Such was the case with a UC email (Sept. 11) telling employees to complete a course in ethical values and conduct, and directing employees to an unfamiliar website to take the course.

In fact, this was a legitimate and important message about mandatory compliance training — and the email would have made the registry, had it existed at the time.

Learn how to spot it

The registry does not list phishing scams — the volume is so large that the campus could not possibly keep up. Nor does the registry include UC or UC Davis messages that do not resemble phishing. The registry's purpose is to verify the authenticity of messages that may be mistaken for phishing.

The best defense against phishing is to know how to spot it, said Ono, encouraging people to learn more on IETs Anti-Phishing Campaign website.

The registry website includes instructions on how to submit emails — those you have sent or are planning to send, or those you have received — for possible inclusion on the registry.

The page also includes a link to IETs guidelines for what goes on the registry. They can help you write and send a message in such a way as to avoid any hint of phishing, or, if that is unavoidable, you can ask the help desk to consider posting your message on the registry.

You can also suggest someone elses mass email for the registry; however, IT Express will not post a message unless the author agrees.

The registry posts each messages subject line, and who sent the message and when; clicking on the entry brings up the entire message. Messages stay on the registry for about, but not less than, 30 days.

The IET security team and IT Express will evaluate the registry in early 2013, to assess how people are using it and make revisions if needed. Comments and questions can be directed to Ono via this email address, security@ucdavis.edu.

Follow Dateline UC Davis on Twitter.