Campus Alert: Find the latest UMMS campus news and resources at umassmed.edu/coronavirus

Search Close Search
Page Menu

Email Phishing

Avoid phishing scams

 

Phishing explained

Phishing scams are typically fraudulent email messages appearing to come from legitimate enterprises (e.g., your university, your internet service provider, your bank). These messages usually direct you to a spoofed website or otherwise get you to divulge private information (e.g., passphrase, credit card, or other personal identification). The perpetrators then use this private information to commit identity theft.

Phishing scams are crude social engineering tools designed to induce panic in the reader. These scams attempt to trick recipients into responding or clicking immediately, by claiming they will lose something (e.g., email, bank account). Such a claim is always indicative of a phishing scam, as responsible companies and organizations will never take these types of actions via email.

 

Specific types of phishing

 

Phishing scams vary widely in terms of their complexity, the quality of the forgery, and the attacker's objective. Several distinct types of phishing have emerged.

Deceptive phishing

Deceptive phishing is the most common type of phishing scam. These scams occur when a recognized source emails you to compromise information. Typically, these emails request that you:

  • Verify account information
  • Re-enter information, such as logins or passwords
  • Request that you change your password
  • Make a payment

Once this information is input, hackers can access your accounts and then utilize the sensitive information to steal payment card information, sell your personal information or otherwise utilize your sensitive information for gain.

Spear phishing

Phishing attacks directed at specific individuals, roles, or organizations are referred to as "spear phishing". Since these attacks are so pointed, attackers may go to great lengths to gather specific personal or institutional information in the hope of making the attack more believable and increasing the likelihood of its success.

The best defense against spear phishing is to carefully, securely discard information (i.e., using a cross-cut shredder) that could be used in such an attack. Further, be aware of data that may be relatively easily obtainable (e.g., your title at work, your favorite places, or where you bank), and think before acting on seemingly random requests via email or phone.

Whaling

The term "whaling" is used to describe phishing attacks (usually spear phishing) directed specifically at executive officers or other high-profile targets within a business, government, or other organization. Hackers impersonate executives by using their email address or a similar email address to request personal/trade information or authorize transactions that result in money being pilfered.

 

Avoid scams

Phishing can come in many different forms, from obvious-to-spot frauds to sophisticated deceptions, but they share some common characteristics. Before you click a link, consider if the message you are reading contains these suspicious attributes:

  • Sense of urgency and time constraint
  • Fear of losing money or winnings
  • Requests to verify accounts or credit card numbers
  • Communication from services you do not use
  • PDF Attachments from businesses
  • Generic email providers
  • Poor grammar and spelling
  • Confirmations that lack details, such as delivery locations or travel dates
  • Any emails from the IRS
  • Unexpected, but out of character, emails from people you know
  • Files or links that require you to download additional software to view them
  • Unfamiliar links or close, but not quite right, links

Remember

  • The University of Massachusetts Medical School and other reputable organizations will never use email to request that you reply with your password, full Social Security number, or confidential personal information. Be suspicious of any email message that asks you to enter or verify personal information, through a website or by replying to the message itself. Never reply to or click the links in such a message. If you think the message may be legitimate, go directly to the company's website (i.e., type the real URL into your browser) or contact the company to see if you really do need to take the action described in the email message.

 

Report phishing attempts

  • If the phishing attempt targets UMMS in any way (e.g., asked to provide personal information, such as username, password, or other types of information), Report the Problem to the UMMS Information Security group.

 

Examples of phishing scams


 

From: ADP HR Portal <kkguillen@utm.edu.ec>
Date: Monday, February 6, 2017 at 11:14 AM
Subject: Action Required: Changes to your Pay-stub

The Human Resources/Payroll Department has completed the final pay-stub changes for 2017 tax year.

To view the changes to your pay-stub information and view/download your W-2 forms (2014 - 2016 tax years), go to: Adp Portal

We hope you find the changes to your pay-stub information useful and welcome any comments you may have.

Yours Sincerely


 

From: Lambert, Noreen
Sent: Friday, August 25, 2017 2:14 PM
Subject: From Admin Your mailbox is full  

Your mailbox is full.

33MB

30MB

Dear Webmail User,

Your mailbox has exceeded the storage limit which is 10GB as set by the administrator, you are running the 13.6 GB, please re-authenticate your mailbox click or copy the link below:

https://umassmemorial.jimdo.com/

Warning: failure to re-set your mailbox to be processed and-active from our database.

System Management Team,

Copyright © 2017

 web masters


 

From: ApplelD [mailto:Account@hotg.ebay.com]
Sent: Friday, September 15, 2017 8:13 AM
To: Carmody, James
Subject: Review your recent activity

Αpplе lD

Yοur Accοunt Hаѕ Bееn Diѕаblеd!

Yοur аccοunt hаѕ bееn diѕаblеd tеmporarily in ordеr to protеct it. The аccοunt will continuе to be diѕаblеd until it is approvеd. Once you havе updatеd your аccοunt rеcords, your information will be confirmеd and your аccοunt will start to work as normal once again. The process does not take more than 5 minutes. Once connected, follow the steps to activate your account. We appreciate your undеrstanding as wе work to ensure sеcurity.

The restore the access to your account please click on the link below :

Vеrify Yοur Accοunt Now

    • Location : CANADA
    • IP address : 213.168.37.86
    • Navigator : Safari 28.0 on Iphone

This is an email sent automatically. Please do not reply to this letter, because the e-mail address is only configured to send but not to receive e-mails.