Move is in response to recent ‘phishing’ scam
Tuesday, November 26, 2013
Written by: Stephen Pradarelli

The University of Iowa has temporarily restricted off-campus access to sensitive financial information on employee Human Resources Self Service websites in response to a recent spike in “phishing” emails.

Limited earning information, excluding direct deposit account details, will be available from off campus while full paycheck information will be available only to employees logged in to computers connected to the UI’s network.

The university has experienced a recent spike in so-called "phishing" email scams that attempt to trick staff into providing HawkIDs and passwords, exposing their personal and financial information to potential theft and fraud. The number and sophistication of these scams is growing exponentially and fake emails and websites can sometimes look remarkably official.

ITS is working to reduce the amount of phishing emails that make it past the university's spam filters. And UI Human Resources is taking steps to minimize the risk of unauthorized or unintentional changes to sensitive information in the Self Service website, including:

  • When changes are made to direct deposit information an email is automatically sent notifying employees of the change.
  • Bank account numbers for direct deposit routing is masked in Self Service so only the last four digits of the account are visible.
  • To view or make changes to sensitive financial information in Self Service, a second verification is required beyond users' login and password.

Employees with an urgent need to get details about their paychecks should contact UI Payroll at 319-335-2381.

Many of the more convincing phishing messages use campus-specific terms such as "HawkID" and "ITS," along with the University of Iowa name and logo. Most recent subject lines have included "Your HawkID was compromised" or "Your UI NETID was compromised." But there are ways to spot fraudulent emails and websites.

  • Always be suspicious of emails asking for sensitive information. Remember that email is not a secure form of communication. The university already knows your account information and will never request it from you in an email.
  • Be wary of emails demanding you provide personal information immediately. Phishers will usually include false statements designed to increase urgency and try to make you give up your information more quickly, such as "Your account is going to be terminated unless you respond immediately."
  • Never respond to an email request for personal information. Always err on the side of caution. Look at the "From:" field in the email. If the organization name does not match the "Reply To:" organization name, the message is probably spoofed (falsified). For example, an official university email would not have a reply email address ending in "yahoo.com" or "gmail.com." If you ever need to provide personal information like a bank account number, make sure you are using the official HR website at hris.uiowa.edu or, if on a phone call, be sure you initiate the call to the company and not the other way around.
  • Never follow the links in an email you suspect might be phishing. If you're unsure about a link to a site you receive in an email, "hover" your cursor over it without clicking. If the link text in the email doesn't match the link address, do not click it.
  • Just clicking on a link in a fraudulent email can install malicious software on your computer, so always make sure your operating system, antivirus software, and browser are up to date. The ITS Help Desk Security Center has more information on not only how you can keep your computer and data protected but examples on current and past scams.

Employees who think they may have replied to a scam email or clicked a link in one and entered your password should update their password immediately by visiting hawkid.uiowa.edu. Otherwise, they should contact the ITS help desk at its-helpdesk@uiowa.edu or 319-384-4357, and ITS staff can tell them whether to delete or forward a suspicious email message for review.

More information about ITS security may be found at itsecurity.uiowa.edu, and additional tips for avoiding phishing scams may be found at education.apwg.org/r/en/index.htm.