UR Employees Targeted by Scam Emails

Jul 5, 2013

Staff and employees at an upstate university are being warned to stay alert for what are known as phishing attacks - fake, but official-looking emails and websites that try to acquire secure information like passwords and social security numbers.

The problem, explains Matt Bernius, facilitator of social group Hacks and Hackers, is that  these electronic attempts to steal personal information are so simple and convincing, they’re difficult to stop.

You might get an email that looks like it’s from your bank, telling you your account has been compromised and you need to change your password by “clicking here.”

Bernius says this type of scam is particularly hard to stop because it’s not difficult for illegal groups to mimic official websites like those of a university, your bank or Twitter.

“When you receive these emails, so many things have been done to them to make them look legitimate that really it’s up to everybody that really, any time they see anything that one of their accounts has been compromised, you really need to look at things like what is the URL line that you’re being sent to and all of these other pieces.”

Bernius says, anytime an email link sends you to a website that immediately asks for your password, social security number or other sensitive information, it should be a red flag.

The way you’ll catch it, he says, is by looking more closely at the URL once you’ve clicked through to the link.

“If you actually look at the link, the actual URL that would have been typed into the browser, you would see that it’s not actually to Twitter, or whatever. But because people don’t look at that, they just click through and put all of their information in, that’s how someone gets caught on a phishing hook if you will.”

University of Rochester officials said in a statement there have been several of these attacks on their employees in recent weeks.

And law enforcement officials have indicated that the U of R is not the only institution to experience this, the statement says.

Bernius says most hackers don’t engage in phishing and it’s looked down on in social hacking circles as an easy, unintelligent and dishonest tool for stealing information.

He says vigilance, always checking those URLs, is the best defense. Other things to look for are spelling errors in the subject line and awkward, disjointed sentences in the body of the email.