Recently our campus email system has been hit by several phishing attempts that are devised to acquire your login and password. Hackers then use your email address to flood the Internet with millions more email messages that attempt to get the credentials of others. The end result of these emails is to cripple our email servers, and cause Purdue Calumet to get placed on the email blacklists of many of the major email carriers (Google, yahoo, etc.). We would also be blacklisted by other entities that subscribe to these services as well. The result of this is that the legitimate email that you thought you were sending to a colleague or business contact gets rejected and thrown away. The other consequence is the considerable amount of time that Information Services technical staff has to spend tracking these down and repairing the damage caused by these events.
How does this happen?
- Phishers tend to rely on the fear factor and try to create a sense of urgency when sending these emails.
- In most cases, they communicate the need for immediate action on the part of the user or essential services, such as the use of email, will be cut off. They are betting that by creating that small bit of panic in the back of your mind that you will not look as closely at the email as you normally would and somewhat blindly do what the email tells you.
How can you help?
- First of all, Purdue Calumet uses Microsoft Outlook for employee email services. Notification of ′running out of space′ messages is done from within Microsoft Outlook and the clearing of space is performed by each individual user by either archiving or deletion. By the nature of this method, you will never see a message from anyone at Purdue asking for action on your part to prevent your account from being disabled.
- Second, Purdue Calumet does not now and never has had any form of WEB-MAIL. The only way to access Purdue Calumet email using the web is to use the Outlook Web Access Client. This is a web based client and not web mail.
- Third, be sure to carefully read messages before responding to them. Make sure that any link in an email goes to where it is intended to go and if in doubt, don’t click it. In the last phishing attack, there were no references to purduecal.edu or purdue.edu anywhere in the email yet people responded and willingly gave their credentials.
- Fourth, if a link looks legitimate, place your mouse pointer over the link, the link information will appear in a small box. Make sure it matches and goes to where you intend.
- Lastly, regardless of the situation, no one at Purdue will ever ask for your password whether it be via email, on the phone, or in person. Anyone that asks for your password should be reported to the Office of the Vice Chancellor for Information Services.
If you have any questions please contact James R. Pardonek, Assistant Director for Information Security and Assurance, at (219)989-2745 or e-mail email@example.com.
Filed under Security Alerts.