University of Alabama at Birmingham
Information Technology
    IT Home   UAB Home  
 

Search IT!   
  
UAB Email

 All About UAB-Email
 FAQs
 Email Best Practices
 Email Spoofs and Phishes
 Setting Up Spam Tag Rules
 Reading UAB-Email via Web
 Clients & Protocols
 Configuring Clients
 OWA 2003: FAQ
 OWA 2003: Features
 OWA 2003: How To...
 Outlook Meeting Announcements
 Outlook Delegate Access

More information about UAB email services may be found on the documentation page.

 BlazerID Central

Email Spoofs and Phishes

In addition to spam, there are other email hazards commonly referred to as "spoofed" or "phished" , sent in an attempt to collect sensitive personal or financial information from recipients.

For example:

Dear valued [CompanyName] member,

Due to concerns, for the safety and integrity of the online [vendor service] community we have issued the following warning message.

It has come to our attention that your account information needs to be confirmed due to inactive customers, fraud and spoof reports. If you could please take 5-10 minutes out of your online experience and renew your records you will not run into any future problems with the online service. However, failure to confirm your records may result in your account suspension.

Once you have confirmed your account records your internet [vendor service] service will not be interrupted and will continue as normal.

Please click here {fake web site address} to confirm your [vendor service] account records.

Thank you for your time,


[CompanyName] Billing Department.

At first glance, such emails appear authentic, but they are, in fact, very clever attempts to fool you into parting with important personal information. These emails share many common characteristics:
  • they appear to be from a large company, or a company you do business with, such as eBay, Amazon.com, PayPal, CitiBank, Bank of America and so forth;
  • they contain alarming language, such as a warning that someone has been making purchases on your account;
  • they contain a link to a web site where you are asked to enter some sensitive personal information, such as your name, address, credit card numbers, social security number, etc;
  • and they are usually "signed" by a security or credit related department of the company.

How can one tell if the message is real or fake?

The "From" line of email messages can easily be faked, and so you should never rely on just looking at the "From" line to determine if an email is real or not. There are many other clues to the authenticity of such email:
  • The email contains obvious grammatical or spelling errors ("Due to concerns, for")
  • The message opening very general (as above, "Dear valued Citibank Member:") incorrectly identifies you, or uses only your email account name ("Dear Kan13245")
  • The email asks you to "renew your records" or otherwise update your account information.
  • The message asks you to link to a web site which seems to be legitimate, but has extra information or characters at the end (http://www.amazon.com/myhacksite?brth=2y3bn45&uid=Kan13245).
  • The web site prompts you for your userid and password, and then opens a page asking for credit card numbers, bank account numbers and so forth.
Any time you receive an email like this, exercise extreme caution, as the email is most likely a fake.

While not all of these clues may be in the email, it is always best to be very suspicious of any email which invites you to give important personal information, especially if you have not solicited any such request from the company.

What should I do if I suspect the email is a fake?

First, you should know that most legitimate companies would never send you an email like the one above. Many companies realize that their customers are bombarded with these spoof or phished emails, and try to emphasize that at no time will they send unsolicited email to customers about such issues. In fact, all of the previously mentioned businesses have public disclaimers indicating that they never request such information via email.

But, if you do get a suspicious email...

You can always report it. Most legitimate companies encourage you to forward suspicious emails to their security department, if you are unsure of the email's authenticity, and will respond within 24 hours with an answer.

Then, delete it. Drag it to the trash, then empty the trash. And forget about it. You've defeated the spammers by not falling for their tricks.

What do I do if I was tricked and entered my information on the web site?

If you have already entered sensitive financial information or your password into a Web site based on a request from a spoofed email, you should take immediate action to protect your identity and all of your online accounts.
  • Treat the situation like you lost your wallet or purse. Immediately contact all of your financial institution(s), preferably by phone, and inform them of the situation.
  • Choose a strong password that is significantly different from your old passwords.
  • Go to every web site where you may have stored credit card and/or bank numbers and change the password at each web site
Be quick, but thorough. Cover all of your bases, and you can minimize the risk.

More Information
UAB Home | IT Home | Legal | Privacy Statement | Disclaimer | Contact Us
© 2004 - The University of Alabama at Birmingham - All Rights Reserved
This file was last updated on: Monday, 10-Dec-2007 12:26:35 CST