Phishing - Don't Take the Bait

Have you ever received an email from eBay, or some other well known organization, claiming your account is going to be closed or blown to bits unless you respond immediately to the email? If so, you have experienced phishing, the tactic of making sensational claims to acquire personal or financial data from people. Phishing, though not new in terms of the Internet, continues to refine itself by trying to strike the perfect balance between the sensational and the believable.

Use the Clues - Like a detective, you must find clues to keep your Inbox safe from phishing.

Catching a Phish -  Get a behind-the-scenes look at a phishing attack that struck William & Mary and advice on how to keep phishing at bay.

Phishing for a W&M Username and Password

Phishing scams may take the form of bogus emails that often appear entirely legitimate, perhaps claiming to be from the W&M IT department.  They may inform you that the IT department is performing an upgrade and that you must send your userid and password to prevent your data being lost during the upgrade.  While many variations on this theme have been reported, the bottom line is the same.  These are not legitimate requests.  No department or individual at the College has any legitimate reason to know your userid and password.  So just don't do it.  If you receive an email of this sort, please forward it to [[abuse]] and the Information Security Office will respond.

We will never ask you to send us your password in an email message!

Phishing for Personal Information

For years, phishers have established credibility by creating email messages that use the same typeface and logos as legitimate organizations. A scam in late 2004 claimed the FDIC was beginning a new program to track suspicious activity on accounts linked to ATM, debit and check cards. No such program was in the works, but the link took the email recipient to what looked to be a legitimate FDIC site. There, recipients were to register their accounts with the FDIC, or what they thought was the FDIC. Even the URL looked legitimate.

Phishers are tricky, but there are ways to put a chink in their chain by looking for some warning signs:

  1. Avoid clicking on links within suspicious looking emails. Like the FDIC scam, many phishers have devised ways to mask URLs to look remarkably legitimate.
  2. Often phishing messages contain grammatical or typographical errors.
  3. Phishers tend not to personalize their emails since they don't usually know their recipients' identities and because they don't even know if the recipient has any affiliation to the organization they're trying to spoof.
  4. Prizes galore, but only in exchange for some of your personal or financial data. Hint: there is no prize.

It's best to err on the side of caution and call the organization directly, using a phone number you have on file and not from the email, to learn of the email's legitimacy. If you've been a victim of a phishing scam immediately contact the Internet Crime Complaint Center and visit the Anti-Phishing Working Group's Consumer Advice page to learn what action you can take.

Notifications sent by W&M IT

You can expect to receive a few legitimate email notifications from W&M IT.  These notifications may link to a web page where you must enter your WMuserid and password to login.  These notifications are for (but not limited to):

  • Your yearly password reset
  • The annual network authentication (usually in early August)
  • Verification of phone locations

You can also access most of these services from the IT website.  For example, you can reset your password by going to the IT Services page  and choosing "Change Your Password" in the Accounts and Passwords section, instead of following the link in the notification email.

If in doubt, contact the Technology Support Center at [[support]], 757-221-4357 (HELP).