What are phishing scams?
Phishing scams are a form of Internet fraud. This type of scam uses spam or pop-up messages to trick users into disclosing credit card numbers, bank account information, Social Security numbers, or other confidential information.
How do phishing scams work?
Cyber-criminals send e-mails or generate pop-up messages claiming to be from a legitimate business or organization that you might typically deal with; such as your Internet Service Provider (ISP), online payment services (credit card companies, eBay, PayPal), loan company, parcel delivery servicer, University, and/or bank. Phishing scams are becoming more sophisticated in nature because cyber-criminals are incorporating company logos and company contact information in their scams. While designed to appear authentic, these websites you are directed to are actually controlled by the attacker and are intended to harvest your personal information.
Why do cyber-criminals want my account details?
Cyber-criminals can use your information in a variety of ways. With you personal and financial data, cyber-attackers can commit fraud and identity theft. They can also harvest your account information to send out more spam to others. By pretending to be you, they may be able to get more users to click on their malicious sites.
Does the University filter email?
Yes, the University filters email based on technical flags associated with known bad senders and known bad web links. Filtering is done to: a) reduce the amount of junk mail our users have to deal with and b) to protect our users and our IT systems from phishing schemes and malware.
How are “Junk Mail” and “Phishing” messages identified?
University email technicians utilize spam filtering tools to block millions of unwanted inbound emails, which are known as junk mail and phishing messages. Spam/junk mail and phishing identifiers are not made up by University IT employees. They are developed by security companies, such as Cisco, through analysis and sharing of information about known bad senders and known bad web links.
Would a legitimate email be filtered out?
If someone on the Internet has their email account compromised, their email address might be flagged and placed in this quarantine. If you believe an email address that you are expecting mail from should not be blocked, you may request that address be placed on an approved list. That list is used by the information security team to allow emails from selected, trusted senders to make it through the filters. To request to be placed on the white list, work with your departmental IT support personal. Requests should be sent to email@example.com. Please note that a request does not mean it will be granted.
What should I do if I did not receive an email I think I should have?
If you didn’t receive an email you were expecting, make sure to contact your campus’s IT Tech Support team.
- MU: 573-882-5000
- UMKC: 816-235-2000
- UMSL: 314-516-6034
- Missouri S&T: 573-341-4357
Can phishing emails still reach my official University account?
YES! JUST BECAUSE AN EMAIL REACHED YOUR ACCOUNT DOESN'T MAKE IT LEGITIMATE! While the University directs email through anti-spam filters as they enter into our mail servers, it is inevitable that some of these emails may still reach your account. Cyber-criminals are constantly looking for ways to bypass our rules. Additionally, there are instances where an internal user's account has been compromised and their emails are allowed to pass through our filter. Given this, it is critical that you become familiar with how to distinguish a phish and know what to do when you get one.
Follow these best practices to prevent getting snagged!
- FIRST AND FOREMOST, the University will NEVER ask you for your user name and/or password. This is private information and you should never share your password to anyone. Additionally, the University would rarely notify you about your mailbox exceeding its limits. If you receive a notice and are concerned, contact IT Tech Support directly.
- Turn on your firewall and use anti-virus software. Anti-virus software and web browsers periodically offer updates, which contain security patches, so these items need to be updated regularly. Also, make sure your operating system and applications are up to date.
- Never email sensitive information. Email is not a secure method for transmitting or saving sensitive information such as passwords, financial information, Social Security numbers, et cetera.
- Limit your web browsing to well-known and trusted websites and use encryption. Use SSL encryption (https://) for web browsing when possible. If you initiate a transaction, look for a secure SSL encryption as well as indicators that the site is secure for transmissions, such as the padlock symbol.
- Beware of unsecure Wi-Fi connections. You should never access, transmit, or receive sensitive information over an unsecure Wi-Fi network. Your data could easily be intercepted by a cyber-attacker inconspicuously sitting at the table next to you.
- Check bank and credit card statements regularly. Watch for any unauthorized charges and report it immediately.
- Be suspicious of email. Beware of email requiring immediate attention and demanding personal information or account information. Other suspicious indicators include spelling/grammatical mistakes, an overall generic tone, and an ambiguous website link.
- Before you act, carefully consider the type of information requested. Pay close attention to the site you are directed to. If it is a hyperlink, hover your mouse over the link and check the URL. If it claims to be from the University, then the website should direct you to an official Mizzou webpage.
- Do not click on direct links. Avoid clicking on direct links provided in an email. If you get an email from a known source, such as your bank or credit card company, then type their web address directly into your browser instead of clicking on the link provided. Remember, cyber-attackers can spoof company logos and contact information.
- Do not open attachments from unknown sources. Attachments can contain viruses that allow cyber-attackers to gain control of your computer system. If they gain access to your email directory or social media networks they can send malicious emails on your behalf. If the email is from a known source, but the tone is generic and there is not an explanation for the attachment, contact the sender before opening. Remember, your friends and family could have their account credentials hacked!
- Be cautious when using a public space. If you are using a public computer, never save items to the machine, clear your cookies and cache, and sign off before you leave. DO NOT ACCESS OR TRANSMIT SENSITIVE DATA OVER A PUBLIC MACHINE!
- If it seems too good to be true, it is probably an attack. Help report phishing! If you did not actively sign-up for a drawing, chances are you are not a winner! Also, if a distant relative has left you an inheritance, it is unlikely email would not be your official notice! You can report phishing email to the University. To do so, open a new email message and address it to firstname.lastname@example.org. Drag and drop the phishing email from your inbox into this new email message as an attachment. NEVER DIRECTLY REPLY TO A PHISHING EMAIL.
If You Think You Have Already Been Phished...
- If you are a victim of a phishing scam, you will need to reset your password immediately. For information about resetting your University password, visit http://doit.missouri.edu/accounts/password-tools.
- If this vulnerability relates to your University account, you are required to report the incident. Please review the mandatory reporting requirement at http://infosec.missouri.edu/hr/mandatory-reporting.html.
- Lastly, if you believe you are a victim of a phishing scam, you may file a complaint at www.ftc.gov and then visit the FTC's Identity Theft website to learn how to minimize your risk of damage from Identity theft.
Last updated: June 18, 2016