On this page:

• What is phishing?
• What are the risks?
• Phishing attacks at UMass Amherst

Phishing can be damaging and has already harmed individuals on campus. Find out more about phishing and its risks below. Don't get hooked!

What is phishing?

Phishing refers to various online scams that ‘phish’ for your personal and financial information (e.g., your passwords, Social Security Number, bank account information, credit card numbers, etc.).

These messages claim to come from a legitimate source: a well-known software company, online payment service, bank, or other reputable institution. Some will use an organization's email address, logo, and other trademarks to fake authenticity. Phishing messages may also appear to be from a trusted friend or colleague.

Phishing messages can come from a growing number of sources, including:

• Email
• Phone calls
• Fraudulent software (e.g, anti-virus)
• Social Media messages (e.g., Facebook, Twitter)
• Advertisements
• Te.gt messages

What is spear phishing?

More sophisticated attacks, known as spear phishing, are personalized messages from scammers posing as trusted people or institutions. They often collect identifiable information about you from social media or the compromised account of someone you know, making their messages more convincing. Never transmit sensitive information over email or social media, even if the message requesting information appears to be legitimate. 

Signs of phishing include:

• Ultimatum: An urgent warning attempts to intimidate you into responding. e.g: ‘Warning! You will lose your email permanently unless you respond within 7 days.'
• Incorrect URLs: Scammers may obscure URLs by using hyperlinks that appear to go to a reputable site. Hover your mouse over any suspicious links to view the link address. Illegitimate links often contain a series of numbers or unfamiliar web addresses.
• No signature or contact information: Additional contact information is not provided.
• Too good to be true offer: Messages about contests you did not enter or unbelievably priced offers for goods or services are likely fraudulent.
• Style inconsistencies: Pop-up windows that claim to be from your operating system or other software may have a different style or colors than authentic notifications. Messages claiming to be from a reputable organization may miss branding aspects such as a logo.
• Spelling, punctuation, or grammar errors: Some messages include mistakes. e.g: ‘Email owner that refuses to update his or her Email, within Seven days’
• Attention-grabbing titles: "Clickbait" titles (e.g., "You won't believe this video!") on social media, advertisements or articles are sensationalist or attention-grabbing and often lead to scams.

For more information, see the FTC's page about Phishing.

What are the risks?

Don’t be fooled! These fraudulent communications in most cases have nothing to do with the institution they claim to be affiliated with. Opening, replying, or clicking the links provided in these emails poses a serious security risk to you and the campus network.

Some of the risks involved are:

• Identity theft: Providing your personal information in response to a phishing attempt can be used to access your financial accounts, make purchases, or secure loans in your name.
• Virus infections: Clicking once on some fraudulent emails including links or attachments can download malicious software to your computer. Others may also install keystroke loggers that record your computer activity.
• Loss of personal data: Some phishing attacks will attempt to deploy crypto malware on your machine, malicious software that encrypts files on a victim’s computer and denies owners access to their files until they pay a ransom.
• Compromising institutional information: If your university IT account is compromised, scammers may be able to access sensitive institutional information and research data.
• Putting friends and family at risk: If your personal information is accessed, attackers will scan your accounts for personal information about your contacts and attempt to phish for their sensitive information. Phishers may also send emails and social media messages from your accounts to attempt to gain information from your social network.

Phishing attacks at UMass Amherst

University members may receive more targeted phishing emails, asking specifically for their IT Account NetID and/or password. These fraudulent emails claim to be official university communications (or otherwise originate from a legitimate office on campus). Most will ask you to ‘immediately update’ your personal information or face serious consequences.

Don’t be fooled! These emails do not come from UMass Amherst IT/UMass Amherst. They are fraudulent messages attempting to compromise your personal information.

UMass Amherst IT will never ask for your IT Account password or other sensitive information via email or link.

Note: Email spam filters intercept some fraudulent emails, but they are not foolproof. You must learn to identify phishing scams and take the appropriate steps to protect your computer and your information.

By responding to these emails with your IT Account information, you provide access to your email and possibly grades, financial information, and other sensitive details from your university records.

 

Learn more about how to protect yourself against phishing scams and identity theft.

Report any potential phishing attempts to IT's Information Security team: itprotect@umass.edu