Email Scam (Phishing) Advisory

The Gannon I.T.S. department will never ask for personal information, such as your network password or social security number through an email.

What is Phishing?

Phishing is an identity-theft scam that uses "spoofed" or fake emails and Web sites to trick people into giving out personal information, such as credit card numbers, usernames and passwords, or social security numbers. Phishing is usually done by hijacking the brand identity of a bank, university, legitimate company, or an online store in a spoofed email that is sent to large numbers of people. The email will usually contain a link to a Web page designed to look just like a legitimate company's site.  A phishing scam will use this page to capture any information that you provide, then sell or use the information for malicious purposes.

How do I avoid a phishing scam?

• Always be suspicious of e-mails asking for sensitive information.
  Remember that e-mail is not a secure form of communication. Organizations you do business with already know your account information and will never request it from you in an e-mail. Phishers will usually include false statements that are designed to increase urgency and try to make you give up your information more quickly, such as "Your account is going to be terminated unless you respond immediately."
  
  
• Never respond to an e-mail request for personal information.
  Always err on the side of caution. Look at the “From:” field in the e-mail. If the organization name does not match the “Reply To:” organization name, the message is probably spoofed (falsified). For example, a message from a local credit union or bank would not have a reply e-mail address ending in "yahoo.com". If you ever need to provide personal information like a credit card number, make sure you are using a secure, trusted web site or, if on a phone call, be sure your are the one that initiated the call to the company and not the other way around.
  
  
• Never follow the links in an e-mail you suspect might be phishing.
  If you unsure about a link to a site you receive in an e-mail, “hover” your cursor over it. If the link text in the e-mail doesn't match the link address, do NOT click it. Log directly onto the company’s web site or call the company.  Most companies will know if there is a phishing scam involving their company and be able to verify if the information in the e-mail is real or not. 
  
  

I think I've been scammed.  What should I do?

• Report it to the company immediately.
  If you have given out a password or account number or other important information, make sure you contact the company as soon as possible.  If your credit card number was stolen, the company can cancel the card and provide you a new one. Banks will often do the same if your account is compromised.  Most companies are prepared to deal with these kind of problems and the sooner you report it the better.

•  Report it to the FTC.
  Visit www.ftc.gov to report suspicious email, file a complaint if you've been scammed, and find out more information about minimizing the risk and damage of identify theft.

Additional Information about Phishing:

Phishing and Identify Theft
    Video from Microsoft: What you should know about phishing identify-theft scams.

Anti-Phishing Working Group
    Lists the latest phishing scams, information on protecting yourself, and what to do if you've been scammed.

Federal Trade Commission
    An article by the FTC on how to not get taken by a phishing scam.

Wikipedia
    An informative article about phishing, with a list of additional links to more information.

OnGuardOnline
   Practical tips from the federal government and the technology industry to help you be on guard against
   Internet fraud, secure your computer, and protect your personal information.