The email looks legit. There might be a misplaced capital letter and some awkward-sounding language, but who reads emails that carefully? Your account needs updating – well, maybe it does. You click on the link and see what looks exactly like the Gryph Mail login page, U of G logo and all. You probably don’t even notice that you’re being asked to type your password in twice, or that the page’s URL is not even related to U of G.
And if you type your password in, you’ll be caught in another phishing scam.
Don’t feel bad. Roughly 100 people at U of G get caught every month, and as the phishing scams get more sophisticated, it’s easier to be fooled.
“A large part of the work we do in this department is to resolve situations where accounts have been compromised,” says Gerrit Bos, IT security officer in the office of the chief information officer.
When you type your password into that innocent-looking form, an online criminal gets your password. He or she can then use your account to send more phishing messages – messages that will be more believable because they come from an actual U of G account. The criminal – and most today are part of a criminal organization, Bos says – also has access to anything that’s behind your central login: your emails, course information, grades, your pay and pension information, etc.
If your compromised central login account is used to send phishing messages, other internet providers such as Rogers, Yahoo and Gmail may block all emails from the University of Guelph, creating real problems for the entire University community. Says Bos: “We then have to convince them that we’ve gotten this straightened out before they’ll unblock us.”
How can you avoid being caught on the phisher’s hook? The University takes significant steps to protect you: over 90 per cent of the spam emails sent to students, staff and faculty are filtered out by spam detectors.
In the last week of August, 92.4 per cent of all spam emails were filtered out. “These emails never make it to anyone’s inbox, so you don’t have to worry about them,” explains Bos.
A few still get through, and Bos suggests a couple of steps you can take when you receive one of these questionable emails. Before clicking on any link, first mouse over it so that the address will be revealed. If it purports to be from U of G but has an obviously non-Guelph URL, don’t click on it.
If you have clicked through to a site, then realize your mistake, don’t enter any information. Bos says some sites ask for a long list of information, allowing them to steal your identity if you give them the information.
“Remember that the University will never ask for your password,” says Bos. “Your password belongs to you. Keep it secure, because a lot of important things are behind it.”
If in doubt, or if you’ve made a mistake, contact Computing and Communications Services (CCS) through the CCS Help Centre at 519-824-4120, Ext. 58888, or email email@example.com. You can also check the website http://www.uoguelph.ca/cio/content/recent-scams-and-phishing-attempts where past phishing emails are posted to see if the one you’ve received is there.
While responding to a phishing email is the most common way an account is compromised, Bos adds that people can also get into trouble at unsecure wifi locations such as airports and restaurants. Access to Gryph Mail and other campus services such as CourseLink and WebAdvisor is encrypted to be safe even in those unsecure locations, but your computer can be infected with malware that will “sniff out” your passwords.
If your account is compromised, it will be locked until the University can resolve the situation. If sensitive information might have been accessed, Bos says this must be reported to the privacy commissioner of Ontario.
“No one is really safe from these scams,” he adds. “Often it’s just that people are sobusy, they respond to the email without checking. If you have any doubts, don’t click; call or email the CCS Help Centre so you can protect yourself and others.”