Internet scam artists pry usernames and passwords from unwary computer users
Scammers are constantly finding new ways to pry confidential information from computer users using fraudulent email messages.
In recent weeks, members of the Stanford community have fallen prey to "phishing attacks" and given their usernames and passwords to Internet scam artists who had sent them fraudulent emails disguised as messages from the university.
Such mass fraudulent email mailings – known as phishing attacks in computer lingo – are cleverly designed to trick people into responding.
Once Internet scam artists have usernames and passwords, they take over email accounts – and Stanford's outbound email servers – and use them to launch attacks on thousands of computer users worldwide, said Matthew Ricks, executive director of Stanford's Computing Services, which is part of Information Technology (IT) Services.
The surge in spam emails coming from Stanford also has caused Internet service providers like Hotmail to occasionally block email from Stanford's outgoing email servers to hotmail.com addresses.
"Most phishing attack email messages are filtered out by our anti-spam software, but since these types of messages are constantly changing as the phishers try to keep ahead of the spam blockers, there are sometimes messages that do get through to end users," Ricks said.
When those anti-spam filters detect an email with a high likelihood of being spam, the software inserts the "[SPAM:####]" prefix in the subject line, Ricks said.
Two recent phony emails flagged by the software carried the subject lines "Virus Detected" and "Validate Your Mailbox." The fake "Validate Your Mailbox" email told recipients that their email "had been compromised by spammer" and asked them to click on a link to "validate your mailbox for better security."
Two other recent phony emails that weren't flagged, including one from the fictitious "Stanford University Mail Messaging Center," said the email accounts of the recipients would be disabled unless they provided their usernames and passwords.
Ricks said Computer Services has sent copies of the fraudulent emails to Stanford's anti-spam software vendor; both groups are working to make sure Stanford's automated filters are as effective as possible.
In the meantime, Ricks reminds everyone that Stanford will never ask faculty, staff or students to reveal their usernames or passwords in an email.
What should you do if you receive a suspicious email?
Delete it. Or, if you're unsure about its authenticity, you can forward it to Stanford's Information Security Office at security@stanford.edu for review.
"Do not click on links listed in an email that you think may be a phishing attempt," Ricks said. "Even if the addresses look like they go to the right place, it is very easy to make bogus web addresses that look valid."
To learn more about how to protect your computer and data from the risks of phishing and other attacks and scams, there is a self-paced online course available through STARS, titled Computer Security Awareness (ISO-0001).
For more information, Ricks recommended an article posted on the Federal Trade Commission's website, "How Not to Get Hooked by a 'Phishing' Scam," and an article on online safety posted by Microsoft Corp., "How to Recognize Phishing Emails or Links."
Share This Story