About 800 “phishing” scams have reached University of Iowa students, faculty and staff via campus email this semester, prompting the UI to enhance its security and take extra steps to derail scammers.
Several employees have been tricked by the recent phishing scams, which use fake emails and websites to goad victims into giving out personal information. UI officials say the number of scams is “growing exponentially,” and some of them are sophisticated and can look “remarkably authentic.”
In response, UI information technology services officials have taken steps to reduce the amount of phishing emails and other spam that gets through university filters. And UI human resources officials have taken action to minimize the risk of unauthorized or unintentional changes to sensitive information in the employee “self service site.”
For example, now when changes are made to direct deposit information, an email is automatically sent to employees notifying them of the change. Bank account numbers for direct deposit routing also now will be masked on the self service site so only the last four digits are visible.
Employees from now on will be required to submit a second verification – beyond a login and password – to view or make changes to sensitive financial information, according to UI News Services.
Among the more convincing phishing scams seen this semester in UI email accounts are ones using campus-specific terms like “HawkID” and “ITS” along with the university name and logo, according to UI officials. Subject lines of late have included messages like, “Your HawkID was compromised” or “Your UI NETID was compromised,” officials reported.
Recipients often are directed to another website to confirm login details and allow a monitoring alert system to prevent further compromise. But officials say the UI never will send campus users emails asking them to confirm their login or sensitive personal information and users never should reply or click on links in emails asking them to do so.
The UI also is encouraging campus email users to be vigilant, and it is educating them on how to better spot suspicious emails.
“While ITS and human resources are doing what they can with technology, at the end of the day this is a social engineering attack on people,” Jane Drews, head of the ITS Security and Policy Office, said in a news release. “For these phishing attacks to succeed, users must be persuaded to click the link and enter a password or other private information.”
Anyone who receives a suspected scam through campus email is encouraged to contact the ITS help desk. Below are more UI tips, precautions and recommendations to avoid being scammed.
Organizations you do business with already know your account information and will never ask for it via email.
Phishers might use false statements of urgency to make you disclose information more quickly like, "Your account is going to be terminated unless you respond immediately."
Look at the “from” field in the email. If the organization name does not match the “reply to” organization name, the message is probably a scam. A message from a local bank would not have a reply email address ending in yahoo.com, for example.
If you need to provide personal information, like a credit card number, make sure you are using a secure, trusted website. If on a phone call, be sure you initiate the call.
If you’re unsure about a link to a site you receive in an email, hover your cursor over it without clicking. If the link text in the email doesn't match the link address, do not click it.
Visit the company’s web site directly or call the company. Most companies will know if there is a phishing scam involving them.
Consider installing a tool that blocks scam sites. Some browser tools can give an alert if you are accessing a page that is a known phisher or block the site altogether.
Always make sure your operating system, antivirus software, and browser are up to date.