This article is from the archives of the UB Reporter.
News

Phish tale

Don’t get caught hook, line and sinker in online scams


By SUE WUETCHER
Published: Dec. 13, 2012

The email message seems innocent, even helpful. You’ve exceeded your email quota, but don’t worry: Your quota will be increased if you just click on this link. Or enter you UBIT user name and password. The message contains information confidential and proprietary to buffalo.edu. It even was sent on behalf of administrator@buffalo.edu.

But click on that link and you could be in a world of trouble. You’ve likely been phished.

While phishing’s been around a long time, the attempts seem to have stepped up in recent months. And phishers are becoming much more sophisticated in how they try to hook you.

“The phishers have refined their ability to simulate well-known websites—banks, Facebook, your university or employer,” notes Jeff Murphy, security program manager for UBIT. “As people have become better at recognizing phishing attempts, the attempts have had to get more sophisticated. The incentive to phish is financial; as long as there is money to be made, phishers will continue to try to trick you.”

Just what is phishing?

Phishing, Murphy explains, is when someone sends you any message disguised to look like a legitimate message. “The intent of the message is to get you to disclose personal information—an account number, a username and password, and so on,” he says. “The message itself may ask for this information, but more typically, it will ask that you click on a link in the message. The link will take you to a website that is a copy of a legitimate website. You will be asked to log in, and if the phisher is successful, you will be fooled into believing that the website is authentic and you will log in to it.”

And it’s not just happening with email, Murphy notes: Smartphone users have to worry about SMS phishing, or “smishing”—the smartphone equivalent of email phishing.

The recent rise in phishing may be due, in part, to the increasing popularity of Facebook. Murphy says the connection between phishing and the social media network is strong.

“Many people use the same password everywhere, so if they can capture your Facebook password, they have typically captured your bank password, your school password and so on,” he says. “Once they’ve figured out your Facebook password, they can click on your profile to learn details you may keep private: you email address, your school or employer, etc. They can then go try those accounts with the same password.”

Facebook also offers a simple platform where the phisher can use someone you trust—your friends—to get you to click on a link. “All they need to do is compromise your friend’s Facebook account and message you. Since you trust that friend, you are very likely to click that awesome cat video they just sent you,” he says. “From there, the typical phishing pattern resumes: The video link will take you to a website that is an exact copy of the Facebook login page. You will then think ‘ok, I guess I need to log in.’ Once you log in, the phisher shows you the video in order to hide the fact that he just stole your credentials. He then will log in to your Facebook account and, as you, send the same phishing message out to all of your friends, continuing the scam.”

And, of course, there’s the financial incentive.

“Your account may be used to ‘like’ product pages on Facebook,” he says. “Believe it or not, people will pay for these ‘likes’—try Googling ‘buy Facebook likes.’ So once the phisher has your Facebook login, he may use your account to sell ‘likes.’”

The UBIT mail system checks incoming messages to see if they look like “spam,” Murphy says, noting that phishing attempt may be classified as “spam” and filtered from inboxes.

However, it’s not 100 percent effective, so user awareness is needed to fill the gap.

What can faculty and staff do to protect themselves from phishing attempts, both at UB and on home computers?

“The best thing to do is always question if a message you received is legitimate” Murphy advises. “If you are asked to log in, but the ‘URL’ at the top of your web browser says anything unexpected, you should not log in.”

Say, for example, you are a Citibank client and you get a mail message saying you need to log in to Citibank to deal with something. But when you check the URL, it does not say “citibank.com.” Then you should not log in, he says.

“This is the most reliable way of detecting phishing, but it takes some thought,” he says. “Some phishing messages are obvious—for example, if you aren’t a Citibank customer, but receive a message from them asking you to check your account, just delete it.

And if a Facebook friend sends you a video link and you are asked to re-log in to Facebook, “be very careful. Facebook generally ‘remembers’ your password so you don’t have to log back in once you are using it,” he says. “If you suddenly are asked to log in, carefully inspect the ‘URL’ in your browser and be certain it says ‘https://facebook.com/’”

The same caution applies to Smartphone use, Murphy says. “If you receive a message on your phone that asks you to ‘reply’ to it, or go to a website, you should not. My advice is, unless you’ve given your number to a business, friend or employer, any SMS messages you receive on it are suspicious unless you know from whom they are coming.”

But suppose you took the bait, and clicked on a link you shouldn’t have?

“You should change your password and security questions immediately and ask your IT support for further advice,” Murphy says. “They may want to scan your PC—if you are faculty/staff—to be sure it’s clean. Changing your password and security questions quickly is very important, though.

“You can do that at http://ubidm.buffalo.edu; it stands for “UB Identity Management.”