April 17, 2008

Phishing Incidents Spam Cornell’s E-mail Listservs

Print More

If you receive an email from the Cornell Federal Credit Union informing you of a “billing failure,” delete it. This seemingly innocent email is an illegal attempt at gaining personal information known as “phishing.”
Phishing is an act in which a fraudulent email that appears to be a legitimate e-mail is sent with the purpose of fooling its recipients into giving away personal information such as credit card and Social Security numbers. However, since that time, it has expanded its range, targeting bank accounts and university e-mail servers.
Scott Schuster, director of the Cornell IT Security Office, said that this phishing e-mail is only the latest in line of phishing scams directed at the Cornell community.
“In the past six weeks, there has been a minimum of four people having been tricked by a phishing scam,” he said. “Usually, half a dozen people get fooled by each phishing scam.”
“Probably a dozen or so people have received this email,” he added, but we have no examples yet of people being tricked by it.”
According to The New York Times, phishing comes in several varieties, including whaling, which trick large wealth targets such as Citibank, and spear phishing, which targets a specific person to trick.
In addition, Cornell is not the only university to have been received phishing e-mails. The Times reported that 2,000 people received phishing emails at the University of Illinois at Urbana-Champaign. The Chronicle for Higher Education reported that at North Carolina State University, 2,600 users received phishing emails, with at least 40 responding and being successfully tricked by the scam, and that in one case, a single attacker sent 10,000 messages at Indiana University.
There is no active method to prevent phishing, which can come from numerous sources without warning. Schuster noted that Cornell’s protective measures were largely reactionary.
“We put filters on the mail system,” he said, “but we can only prevent the ones we identify … there’s no guarantee against new, different phishing scams.”
“We hope that people will get wiser as these become more prevalent, and just ignore them,” he added
In a security alert on the CIT website, an example of a phishing email is given in which an email reported that Cornell was updating its website and that it required the recipient’s user name, password and date of birth.
On the site, CIT emphasized that no department at Cornell University would ever request personal information from any student via e-mail and urged that any recipient to the e-mail should not reply and simply delete the e-mail.