Phishing is the use of email and fraudulent web sites to trick people into disclosing personal financial or identity information, such as credit card or Social Security numbers, user names (e.g., UAnet IDs), passwords and addresses. Although most "phishes" come as email, phishing scams can also come in the form of text messages and phone calls. It's called "phishing" because the criminals are broadcasting phony emails to large numbers of addresses, and they're hoping the recipients will "take the bait." The emails will either try to entice you with promises of great deals, or scare you into providing the information.
Phony emails are sent from addresses across the Internet and appear to be from reputable organizations, but are not. The emails are actually from criminals who are attempting to lure you to provide your personal information. Often both the emails and the web pages they direct you to look just like you would expect to see from that organization, since the logos and formats have been copied. The message uses social engineering tactics that might indicate there is a problem with your account, and urges you to respond immediately by clicking a web link to "verify" or "update" your account information.
It's important to note, that the company that is being spoofed has nothing to do with the scam. Their name is just being used to trick you into "taking the bait."
If the email appears to be from an organization with which you do not currently do business, discard it. If it appears to be from an organization such as your financial institution, contact that organization for instructions. It is important that you not use the phone numbers, or web or email addresses included in the suspicious email, as they may not be legitimate, but could connect you with the criminals. Use officially published addresses and phone number from the institution where you do business.
How to Report a Phishing Email
If you are using the Outlook client, you can submit emails like this using the report message tool. If you are using Outlook WebApp: Click the email then click on Junk and it will give you an option to report the email as Phishing/Junk or just block it.
Outlook Desktop Client
If you are using Linux or third party email application you can send the email as an attachment to the following email addresses: email@example.com
Scam tactics are increasingly sophisticated and change rapidly. Even if a request looks genuine, be skeptical and look for one or more of these warning flags:
The message is unsolicited and asks you to update, confirm or reveal personal identity information (e.g., full SSN, account numbers, UAnet ID, passwords, protected health information).
The message creates a sense of urgency.
The message may have an unusual "From" address or an unusual "Reply-To" address instead of a recognizable "@uakron.edu or @zips.uakron.edu" style address.
The (malicious) web site URL doesn’t match the name of the institution that it allegedly represents.
The web site doesn’t have an "s" after "http" (for example, https://) indicating it is not a secure site.
The link in the pop-up doesn’t match the printed text.
The message is not personalized. Valid messages from banks and other legitimate sources usually refer to you by name.
There are grammar or spelling errors.
In the case of banking the results are obvious: the scammer now has access to your money. However in a university what they gain access to is a bit different and could cause damage to both yourself and others. They could potentially gain further information about you and your friends/coworkers that they could use to steal more identities. They gain access to your email, allowing them to read and send messages on your behalf, including high quantities of spam. They will have access to University of Akron services that you are authorized to use, and could do things like change your insurance beneficiaries, direct deposit, emergency contact information, your course selections, etc. They could also lock you out of your account by changing your password.
Often, once a hacker has your UAnet id and password they will use YOUR email account to send huge volumes of spam. This could result in University of Akron email being blocked by some sites, preventing legitimate email from being delivered for multiple days.
If you receive email soliciting confidential information such as your password, Social Security Number, credit card number or other sensitive information, with instructions to send it via email or click on a link to verify it, this is likely a scam. Email messages travel over the Internet in an insecure manner, and you should never send sensitive information in an email. University of Akron will NEVER request this information from you via e-mail. You can view some sample phishing scam messages here.
If you have followed the link on a suspicious email or have noticed unusual activity relating to your account, you may have been compromised. If this is the case, you should take the following steps in order to protect yourself:
- Reset your password. You can reset your password at auth.uakron.edu – You may want to do this from a computer you know is secure, so that if your machine itself is infected, your password will not become compromised.
- Run a virus and malware scan – Even if you believe that only your email was compromised it never hurts to run a virus and malware scan to ensure that your machine is clear of infections. If you are not sure on how to run virus or malware scans, step 3 has information on where you can get assistance.
- If you believe that your machine was compromised or if your virus and/or malware scans turned up an infection, you should have it looked by an IT technician. If it is University owned device, please contact the UA support desk at 330.972.6888. If it is a personal machine, you can bring it to Student Computer Support Services (SCSS) located in Computer Center located at 185 Carroll Street. Note: For personal computers SCSS charges a bench fee for repair services.