Penn State Fights Phishing Scams

If you've ever been tempted to respond to an e-mail that appears to be a legitimate inquiry from your bank, you're not alone. Phishing schemes - criminal attempts to solicit confidential data through e-mail and the Web - are on the rise today and are becoming increasingly convincing and dangerous.

According to the Internet service provider AOL, one in five of its customers has fallen for a phishing scam and the Anti-Phishing Working Group (APWG) reports that the number of phishing (or fake) sites on the Web reached 2,560 at the end of January - a jump of 47% from December (http://www.antiphishing.org/resources.html).

Most phishing schemes come in the form of unsolicited e-mail, with phrases like, "your bank needs to confirm your account, please click here," explains Jeff Kuhns, senior director of Penn State ITS Consulting and Support Services.

However, instead of directing customers to the bank's Web site, the link leads them to a false Web site, and then prompts them to provide personal information such as their password, address, social security number, credit card data and more. The "phishers" then use the information to commit identity theft, a type of criminal activity that can include creating false bank accounts, maxing out credit cards, and taking out loans in the victim's name.

"Our concern is that some individuals will provide information when they get an e-mail note from a place like helpdesk@localbankname.com, and assume it is a legitimate request," said Kuhns. "We want students, staff, and faculty to understand that even if a company address may look legitimate, it's important to never send private information in response to an e-mail of this kind."

In addition, anyone who receives a Web pop-up message that asks for personal or financial information, should not reply or click on the link in the message. Legitimate companies typically don't ask for this kind of sensitive information via the Internet, according to the Federal Trade Commission.

Phishing e-mail currently reported at Penn State includes fraudulent inquiries that appear to come from a variety of financial institutions such as Huntington National Bank, Washington Mutual (WAMU), and PayPal, as well as ecommerce companies like eBAY, Microsoft and Amazon.com. Phishers also sometimes use fraudulent e-mails to sell loans and mortgage deals - or to suggest recipients should send information because they've won a large sum of money or a prize. Another phishing technique involves the distribution of a message that appears to come from a wealthy person in a third world country, falsely conveying that recipients will receive a small fortune for helping them transfer funds to the United States.

While the University's filtering software is able to eliminate many spam and phishing e-mails before they reach Penn State community member's in boxes, there are still a number that inevitably get through the mail system, Kuhns adds. So, University e-mail users should remain vigilant and aware of typical phishing phrases such as:

• "To verify your account click on the following link."
• "If you don't respond within 48 hours, your account will be closed."
• "Dear Valued Customer..."
• "Click the link below to gain access to your account."

In addition, students, faculty and staff who suspect they may have received phishing spam or other kinds of illegal e-mail, should report their concerns to authorities such as the Federal Trade Commission (FTC), the Anti-Phishing Working Group, or use the system described at http://sos.its.psu.edu/spamcomplaint.html to file a complaint. To learn more about how to avoid the latest phishing scams, please see:

http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm, or http://www.microsoft.com/athome/security/email/phishing.mspx.