Phishing E-mails

There is a growing problem of attempts to solicit personal information including Social Security Numbers, Birthdates, User Names, and account Passwords over e-mail.

SUNY Potsdam employees will never ask for this information over e-mail.

Such solicitations are called "phishing" and are attempts to steal your personal information.

http://en.wikipedia.org/wiki/Phishing

There are many warning signs that can alert you that you might be giving away your account information. Below are two examples of phishing emails with many "red flags" highlighted and noted:

Anatomy of a Phishing Email (Example 1)

This is an example of a phishing email that is trying to get you to reveal your username and password by replying to it.

From: "support@potsdam.edu" <support@potsdam.edu>
Date: August 1, 2008 9:20:54 AM EDT
To: "undisclosed-recipients": ;
Subject: Update Your POTSDAM E-mail Account
Reply-To: accounts@example.com1


Dear POTSDAM Users.  
The reason for this message is because of the Email Scams & Phishing
going on the POTSDAM Network. We have decided to contact all our
students and staff to provide their password so that we can confirm
the active users and to de-activate the inactive user.
2We regret
the inconveniences this might have cost you.
3

 
Please provide us with the below details.
Username:2
Password:2


If you are unable to respond to this email for any reason, please
visit the following webpage and update your account details there:
http://www.example.com/accountnotice
4


With the above details we can verify active potsdam.edu account.5

© 2008 The State University of New York at Potsdam, all rights
reserved. The State University of New York at Potsdam, 44 Pierrepont
Avenue, Potsdam NY 13676, (315) 267-2000
6



1When you attempt to reply to the email, the address you are sending to is not a potsdam.edu address.
2
SUNY Potsdam employees will never ask you for your account information over email.
3
Many of these phishing emails originate overseas where English is not the perpetrator's native language. Look for grammatical errors or sentences that "don't feel right."
4Pay attention to the URL of a web site; malicious web sites may look identical to a legitimate site but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
5
We can verify an active account many, many different ways; all of them easier than asking our entire user population to reply to an email.
6
Often a phishing attempt will use something from the host site to make it look "official."

Anatomy of a Phishing Email (Example 2)

This is an example of a phishing email this is trying to get you to go to a web page to enter your username and password under the guise of some service change.

From: "operator@potsdam.edu" <operator@potsdam.edu>1
Date: August 1, 2008 9:20:54 AM EDT
To: "undisclosed-recipients": ;
Subject: A new settings file for the helpdesk@potsdam.edu mailbox
has just been released
Reply-To: operator@potsdam.edu1


Dear user of the potsdam.edu mailing service!2

We are informing you that because of the security upgrade of the
mailing service your mailbox (helpdesk@potsdam.edu) settings were
changed. In order to apply the new set of settings click on the
following link:
3

http://potsdam.edu/owa/service_directory/settings.php?email=helpdesk
@potsdam.edu&from=potsdam.edu&fromname=helpdesk
4

Best regards, potsdam.edu Technical Support.
Letter-ID#QAZVV52OZGVZ9BRGN2BK7WH11TPC14XH78D5

1The reply to address looks out of place or not one you may have seen before.
2
Many of these phishing emails originate overseas where English is not the perpetrator's native language. Look for grammatical errors or sentences that "don't feel right."
3We can globally apply changes to security settings to all accounts easily. If it was critical that this be done, it would be simplier and more reliable to do so than asking our entire user population to reply to an email or visit a website.
4
Pay attention to the URL of a web site; malicious web sites may look identical to a legitimate site but the URL may use a variation in spelling, a different domain (e.g., .com vs. .net), or when visited with your browser do not show the link as the same you've been instructed to click on.
5
Some phishing emails include an official looking ID number. Ask yourself: "how would I verify that this jumble of numbers and letters means this email is real?" "What purpose does this jumble of numbers and letters serve?" "Does CTS have a site where I can verify this?" "Have I ever seen something like this from CTS before?"

Frequently Asked Questions

Q: Why can't these emails be stopped before I get them?
A: While our filters do catch some generic phishing emails, those that are customized to a particular site or are recently released, are basically unstoppable. Many on the planet who received this email before you undoubtedly responded with their username and password and now the phishers are sending out more such phishing emails using those folks compromised authenticated credentials via their ISP's legitimate mail server.

Q: What happens if I respond to one of these emails?
A: Immediately change your password by visiting http://account.potsdam.edu. If your account remains compromised, CTS will scramble your password once we see thousands of outbound emails from your account.

Q: Why doesn't CTS send out a warning email when large numbers of these start appearing?
A: CTS does not want to get people in the habit of receiving warning emails because CTS staff do not always receive the same phishing emails as the rest of campus. If this were to happen, the perception would be, "I didn't get a warning from CTS, so it is okay for me to reply to this."

Q: Do I need to forward these to CTS or alert CTS when I get a phishing email?
A: There is no need to alert CTS at this time.