Phishing e-mails pose new challenge on campus
March 12, 2008 -- Universities are the latest target of e-mail "phishing" scams. The Division of Information Technology is alerting SF State e-mail users to be vigilant and guard personal data.
Universities all over the world are being targeted by "spear phishing" e-mails, and San Francisco State University is no exception. The University's Division of Information Technology (DoIT) is urging users never to respond to bogus e-mails which ask for personal data.
Phishing e-mails pretend to be from a trusted source, the University's e-mail administrators for example, and then ask the recipient to reply with such details as their e-mail username and password. The messages are becoming increasingly convincing and often contain the University logo, links to SF State Web pages, and sender addresses which might even look like legitimate accounts.
"There's no joke about it. This is a serious matter," said Julianne Tolson, director of Web and user services. "Hackers will use the data you hand over for identity fraud or financial gain, and may use your e-mail account to distribute other scams."
"It is vitally important that people do not respond to these e-mails. It's like sharks, once there is blood in the water more sharks will come around," said Mig Hofmann, the University's new information security officer who brings years of experience of protecting data security at Boeing, U.S. Postal Service, Stanford University and University of California, San Francisco.
Phishing scams are not new phenomena, but the specific targeting of university e-mail users has stepped up in the last month, and attacks on particular sectors like this are called "spear phishing."
"In the past, we have received a handful of phishing e-mails, but the volume received since March 1 is unprecedented," said Tolson who has been with SF State for more than 20 years.
The University is raising awareness about phishing scams through messages on the login pages to the "Inside SF State" Web portal and on the DoIT Web pages. Meanwhile, DoIT is exploring new software options that will intercept more phishing e-mails, and predict future tactics, so that these hoaxes never get through to people's inboxes.
"We want to reach people every way we can," Tolson said. "Now is the time to become more suspicious about who’s asking for your data. If we can educate people about the risks now, it will be lessons learned for a lifetime, even once people graduate or move on from the University."
-- Elaine Bible