The Information Security & Policy Office urges the campus to be vigilant of phishing scams, which have spiked since the beginning of the semester. Phishing scams use emails or phone calls to solicit personal or confidential information that the scammer could use illicitly.
Since Aug. 22, more than 200 university email accounts had to be administratively disabled—meaning the HawkID password was reset—after they were compromised and discovered to be sending out spam.
The recent scams have asked users to log into websites designed to look like authentic UI websites or services, or sent an email notifying users of a meeting and asking them to accept it.
When a person logs in through the fraudulent link their HawkID user name and password are harvested, then used to send out spam to infect other email accounts, or to access other systems to which the user’s HawkID has access. In some cases, harvested credentials are sold on the black market.
When a compromise occurs, HawkID passwords are administratively reset, preventing the infected email accounts from sending more messages. Help Desk staff reach out to these users to explain what happened and walk them through a process of checking their email accounts for changes made by hackers. The account is re-enabled once it is clean.
As part of its ongoing awareness and education, the security office shared these tips to avoid scams:
- Train yourself to hover your mouse over a link before you click it; the URL to which it actually leads to should pop up in a box or bubble. Look at the URLs closely to make sure they match; it may even warn you of a mismatch.
- Be cautious of any link that doesn’t clearly indicate where it leads—particularly links that say “click here” or those that do not disclose where you go when you click them.
- NEVER provide personal or financial data, especially when it is requested by a stranger.
- Avoid accepting meeting invitations for unexpected meetings.
- Do not respond to the initial contact if you are not expecting the e-mail and do not know the sender. If you receive an e-mail you suspect to be malicious, drag it into your Outlook ‘Junk’ mail folder. This will disable clickable images that are used to conceal malicious links and allow you to see where the link would actually take you if you were to click it.
- Watch out for messages with an urgent tone—like a promise of big money if you act NOW.
- Beware of messages riddled with misspelled words and poor grammar.
- Do a Web search for the organization with which the email appears to be associated. Contact the organization directly using contact information on its website to verify the message.
- Report phishing scams to the ITS Help Desk (drag and drop the email into a new message and send). By reporting scams, you alert UI officials so they can take action to address it for the benefit of other students and employees.
If you fall victim to a phishing attack, do not engage the criminals in further communication. Immediately contact the ITS Help Desk (at 319-384-4357 or firstname.lastname@example.org), your local IT support person, or the IT Security Office at email@example.com.
Additional educational resources are available at learnaboutsecurity.uiowa.edu.