Be suspicious. Be very suspicious. Especially if it looks official - bank, credit card company, university human resources - and they're asking for your personal information.
The sender may not be official at all, but rather someone fishing, or "phishing" - attempting to lure you into giving up information that may be used to access your personal accounts.
That's the message from one campus official in the wake of a recent sophisticated phishing scam directed at individuals on the U. of I. campus, similar to other phishing attacks at other Big Ten schools.
In early July, some individuals received a message allegedly from "UIUC Human Resources," which directed them to what looked like a university Enterprise Authentication Login page, with an additional field for their PIN.
It was apparently an attempt "to gather enough information to access university resources and potentially change personal information, such as payroll direct deposit information," according to Joe Barnes, the interim chief privacy and security officer for Campus Information Technologies and Educational Services, writing in a July 7 massmail to the campus.
Whether any information was compromised is still under investigation, Barnes said. The Office of Privacy and Information Assurance notified the original recipients of the message - estimated to be less than 1 percent of individuals on the Urbana campus - and is monitoring affected accounts for suspicious changes. OPIA and CITES also are working on changes to better protect the university, its faculty and staff members, and students from future attacks, he said.
"Fighting the battle against phishing is a balance between technology and user awareness," Barnes said. "From a technology standpoint, we are constantly working to improve systems to reduce the theft of both personal and university information. From an individual's standpoint, they should feel empowered to question emails that do not seem legitimate. If they fall victim to a phishing message, they should not be afraid to say so. Not providing information to IT professionals trying to assist you can delay or prevent aid, which in the end may lead to bigger problems."
When receiving official-looking email, Barnes advised:
- Never respond directly to an email asking for your password or to update account information, no matter how official it may look. The U. of I., as a policy, will never ask for information that way.
- Check the link to make sure it's taking you to an official site. The safest practice is to open a browser and type in the address, rather than clicking on the link.
- Only enter your U. of I. username and password on sites that have "illinois.edu" or "uillinois.edu" at the beginning of the address in the address bar.
- Also check for "https" at the beginning of the address, a requirement for any website asking for sensitive information.
Additional information on how to spot phishing attempts and examples of recent campus-directed phishing attempts can be found online.
Barnes said campus users who receive what they believe might be a phishing message can do any combination of the following: delete the message, forward it to their local IT staff members and/or forward it to firstname.lastname@example.org for further evaluation. They also can contact the CITES Help Desk by emailing email@example.com or calling 217-244-7000.