University of Iowa officials are enhancing security and reminding campus technology users how to avoid being duped after a number of employees became victims of a recent “phishing” scam.

Phishing uses “spoofed” or fake emails and websites to trick people into giving out personal information.

Jane Drews, head of the UI Information Technology Services Security and Policy Office, says that in addition to improved security and filtering, users need to become savvier about spotting suspicious emails.

“While ITS and Human Resources are doing what they can with technology, at the end of the day this is a social engineering attack on people,” Drews says. “For these phishing attacks to succeed, users must be persuaded to click the link and enter a password or other private information.”

ITS is working to reduce the amount of phishing emails and other spam that make it through the university’s filters. And UI Human Resources is taking steps to minimize the risk of unauthorized or unintentional changes to sensitive information in the HR Employee Self Service site, including:

• When changes are made to direct deposit information an email is automatically sent notifying employees of the change.
• Bank account numbers for direct deposit routing will be masked in Self Service so only the last four digits of the account are visible.
• To view or make changes to sensitive financial information in Self Service, a second verification will be required beyond users’ login and password.

UI officials say the number and sophistication of phishing scams are growing exponentially and that some can look remarkably authentic. Already this semester there have been 800 phishing scams via campus email.

Many of the more convincing phishing messages captured by ITS use campus-specific terms such as “HawkID” and “ITS,” along with the University of Iowa name and logo. Most recently,subject lines may include “Your HawkID was compromised” or “Your UI NETID was compromised.”

Recipients are often directed to a remote website to “reconfirm your login details,” allow a “monitoring alert system” to prevent further compromise, or to “block the suspicious IP.”

UI officials say ITS will never send campus users email asking them to confirm their login or sensitive personal information. Users should not reply or click on links embedded in these emails, as these lead to websites that often install malicious software on users’ computers, in addition to gathering personal information.

Campus email users who receive a suspicious email are encouraged to contact the ITS help desk, which may ask for it to be forwarded for review.

Other precautions users can take to minimize the risk of having accounts and identity compromised include the following:

• Always be suspicious of emails asking for sensitive information. Remember that e-mail is not a secure form of communication. Organizations with whom you do business already know your account information and will never request it from you in an email. Phishers will usually include false statements designed to increase urgency and try to make you give up your information more quickly, such as "Your account is going to be terminated unless you respond immediately."
• Never respond to an email request for personal information. Always err on the side of caution. Look at the “From:” field in the email. If the organization name does not match the “Reply To:” organization name, the message is probably spoofed (falsified). For example, a message from a local credit union or bank would not have a reply email address ending in "yahoo.com.” If you ever need to provide personal information like a credit card number, make sure you are using a secure, trusted web site or, if on a phone call, be sure you initiate the call to the company and not the other way around.
• Never follow the links in an email you suspect might be phishing. If you’re unsure about a link to a site you receive in an email, “hover” your cursor over it without clicking. If the link text in the email doesn't match the link address, do not click it. Log directly onto the company’s web site or call the company. Most companies will know if there is a phishing scam involving their company and be able to verify if the information in the email is real or not.
• Consider installing a toolbar that blocks scam sites. Some browser tools are available that can alert you if you are accessing a page that is a known fraudulent phisher or block the site altogether. Perform and Internet search for "phishing toolbar blocker" for different tools and options.
• Always make sure your operating system, antivirus software, and browser are up to date. Some scams use viruses or holes in the security of operating systems like Windows and browsers like Internet Explorer. You should always make sure you have the latest security updates installed on your computer. The ITS Help Desk Security Center has more information on not only how you can keep your computer and data protected but examples on current and past scams.

More information about ITS security may be found at http://itsecurity.uiowa.edu, and additional tips for avoiding phishing scams may be found at http://education.apwg.org/r/en/index.htm.