September 8, 2008

'Spear Phishing' attacks increase in Purdue e-mail

Responding to these e-mails with your University account credentials (username and password) can result in unauthorized access to University resources and can lock a user out of their University computing accounts. 

Responding with other personal information may also result in identity theft.

Greg Hedrick, manager of security services within ITaP, says that these types of e-mails can be a problem not just for the end users who receive the e-mail, but also for the daily running of the University. 

"These types of e-mails present difficulties because Purdue often uses e-mail as a means to communicate quickly and effectively with a large number of Purdue students, faculty, and staff," he says.

Hedrick says that it is imperative that e-mails from the University avoid the appearance of phishing e-mails.  End users might begin to ignore legitimate e-mails from University departments if there is not a way for the end user to tell whether or not those e-mails are authentic. 

Hedrick offers the following tips for administrators, faculty, and student organizations to help end users separate phishing e-mails from University e-mails:

-- Never ask for personal identity information in an e-mail, such as Social Security number, health information, financial information, or username and password combinations.  End users might be more likely to disregard an e-mail message if this type of request is included in the e-mail. 

"In addition, Purdue University IT Units will never ask end users to provide their passwords in an e-mail.  Asking for this type of information is almost always interpreted by savvy end users as a phishing attempt and the e-mail will be discarded," says Hedrick.

-- Avoid sending Web links in your e-mail whenever possible.  Sometimes embedded links can be used to install malware on an end user's computer.  It is especially wise to avoid adding non-Purdue web links to an e-mail that is distributed to a large number of people on campus.

-- Be conscious of the use of good grammar and spelling.  Many times phishing e-mails contain poor grammar and spelling mistakes.

-- Always send from a Purdue University e-mail address and use a Purdue University "reply to" address.  In addition, always include a contact person, campus office, and campus telephone number for a widely disseminated e-mail message, particularly if the message asks users to take some sort of action. 

"This way end users who have a question can contact a University employee to verify the authenticity of the message," says Hedrick.

Hedrick says that the spear phishing attempts seen on campus are getting more sophisticated, are increasingly using terminology that is familiar to Purdue University end users, and appear highly authentic. 

"End users play a huge part in helping stop the spread of these phishing attempts simply by being able to distinguish the authentic e-mails from the fraudulent e-mails.  Anything that e-mail senders can do to help the end user make this determination is greatly appreciated."

If you receive e-mail from Purdue University or any other organization asking you to verify your account, prove your identity, or give up personal information, do not respond to the request before you verify that it is legitimate.  News regarding the specifics of e-mail scams that are currently being seen on campus can be found on the SecurePurdue website at www.purdue.edu/securepurdue