It is a prevalent online threat attacking UC Davis e-mails – and many students and faculty members may not even know if they have become victims.
E-mail phishing, or simply “phishing“ as it is more commonly known, is a form of online fraud in which the perpetrator attempts to gather personal information from unsuspecting individuals by sending out e-mails or spam that appear to come from reputable organizations, said Mark Stinson, client services manager in the IET department.
“Phishing is essentially a form of social engineering,“ Stinson said. “It is a way of getting into a system through non-technical means by getting the user to give up information such as their password.
“Often these messages will come under the guise of well-known institutions such as banks and will include links to legitimate looking websites asking the user to confirm sensitive information.“
Phishing is a frequent and ongoing problem for UC Davis e-mail accounts, Stinson said. The IT department sees phishing e-mails being sent to UC Davis accounts on a weekly basis.
“[Phishing] has always been going on – it’s just getting worse,“ Stinson said. “The phishing e-mails come in waves and we are finding that each one always seems to get a few responses from MyUCDavis users, in some cases up to a dozen users are replying at once.“
Though phishing only attacks a handful of individuals at a time, it can often cause problems for the entire system, as was the case in a recent incident during winter break, Stinson said.
“Those individual e-mail accounts can end up on something called a real-time block list or RBL where other Internet service providers (ISP) detect that a lot of spam is coming from certain accounts and stop accepting e-mails from them,” he said. “Given enough time, all of our servers can end up on the list and then nobody’s e-mails are getting through.“
Once that happens, the IT department has to go in and manually remove the servers from the block lists, said Jatinder Singh, a manager at the campus data center.
“Usually the process consists of us filling out paperwork from the ISP, requesting to be removed from the list,” he said. “In the meantime, individual e-mails can’t get through to those other accounts and are either bounced back or sit on the server for a few days.“
Though the phishing of campus e-mail accounts comes primarily from spammers and has been relatively harmless, phishing can potentially lead to far more serious consequences, Singh said.
“The worst case scenario is where somebody can use phishing to commit identity theft,” he said. “Phishers can often get a hold of really important information such as bank account numbers.… This is especially a risk if a person uses the same password for multiple accounts.“
Stinson said the campus environment can make it especially difficult for the IT department to filter out phishing e-mails.
“College campuses have very diverse users who are studying many subjects,” he said. “We can’t filter out e-mails based on specific words such as ‘Viagra‘ because chances are that a researcher somewhere on campus is doing studies on Viagra. It just makes it tricky for our department.“
There is no real way for the IT department to completely eliminate phishing of e-mail accounts, but students can take steps to protect themselves from becoming victims, Stinson said.
“Students need to become knowledgeable about spam,” he said. “You wouldn’t give your Visa number over telephone and it is the same idea with e-mail. Users should never give out their usernames or passwords unless they are using them to access MyUCDavis. Also, don’t click on links in e-mail messages.… Everybody needs to copy and paste URLs into their browser.“
Andrew Theis, a sophomore engineering major and web developer, said he thinks the campus’s move to Geckomail will help reduce the negative effects of phishing.
“I think the fact that we are now doing e-mail through Google is really a good solution to the problem. They are on the leading edge of technology,” he said. “I trust Google to take care of any security threats that would arise from phishing.“
Stinson said he hopes that as more users become aware of phishing, the cases will begin to diminish.
“It really is a cat and mouse game,” he said. “User education really is the answer to the problem.“
ERICA LEE can be reached at firstname.lastname@example.org.