Phishing scams intensify

By Sarah Rutledge     8/21/08 7:00pm

While students and faculty may have been taking a break for the summer holidays, it appears internet scammers have been hard at work. Since February, there have been 14 rounds of phishing attacks, which led to a massive Rice e-mail blacklisting from several major e-mail providers this summer. An estimated 12 students, faculty and staff this summer volunteered their personal e-mail information to the fraudulent requests.Phishing, which can happen not only through e-mail but also via telephone, is the act of attempting to get a person's personal information. By obtaining a person's password and user identification to a university e-mail account via phishing attacks, scammers can access that account and can use it to send fraudulent messages to other e-mail services. Because many e-mail providers have relatively strict spam filters, scammers look for university webmail e-mail addresses, which are seen as legitimate, Information Technology Security Officer Marc Scarborough said. This way, scammers can send more e-mails through these accounts and increase their chances of getting money from their message recipients.

Scarborough said a common scam, called the Nigerian 419 scam, involves a message informing the recipient that he or she is the heir to a large fortune. To receive the money, however, the recipient must provide the executor of the will with money to supposedly begin transferring funds to the heir. Scammers might receive money from gullible recipients who have virtually no way to track down the scammers, as e-mail addresses are almost untraceable, Scarborough said. And though these scams may see just five responses per 1,000 e-mails sent, those are still worth the scammers' time, he said.

In May, Rice e-mail was temporarily blacklisted from e-mail providers at www.yahoo.com and AT&T due to the spam coming from several hijacked accounts. Scarborough said this four-day blocking of e-mails hurt Rice business.

---

---

But Rice is not the only university to fall victim to phishing, Scarborough said. Students, faculty and staff in universities across the world are receiving these requests for personal information. Scammers will modify their e-mails to mimic messages the university's IT departments might send to its students.

Rice phishing attempts have also gotten more sophisticated over the last few months, Scarborough said. While an early attack in February had Rice's address, an attack last month included the address, copyright, former campaign slogan "Unconventional Wisdom" in the footer and phrases from the www.rice.edu Web site. He said one phishing attack contained a fake message supposedly signed by IT Director of Communications Carlyn Chatfield, suggesting the scammers had familiarized themselves with the IT staff at Rice to make their messages look more authentic.

"Scammers take time to personalize these attacks so people are more likely to respond to these e-mails," Scarborough said.

Since the phishing messages are sent from a non-Rice spam e-mail account, the subject of the messages are marked with asterisks and the "spam" label, but the bodies of the e-mails are so convincing that many students volunteer their personal information anyway, Scarborough said.

Scarborough estimates that at least two separate groups are responsible for the phishing attacks so far.

When a phishing attack is reported, IT blocks that e-mail address from sending messages to any other rice.edu e-mail accounts. And if an account is taken over by scammers, which typically send out an uncharacteristically high frequency of e-mail, IT freezes the account until the correct user changes his or her password for security. Scarborough said it is hard to monitor what accounts are being used for scamming purposes, however, as students and faculty might just be sending more e-mails than usual. He also said anti-spam technology for outbound Rice e-mail was discussed, though because this tool would slow down the Web site considerably, it is not a serious option.

Scarborough encourages students, faculty and staff to not respond to any phishing attempts to supply personal information online.

---