Yet another phishing scam is targeting various communities, including UVM, in an attempt to convince people to divulge their Network IDs and passwords. Please ignore these requests.

Late last week, some UVM community members received email messages from "no-reply@uvm.edu," with the subject "Update Alert" (full text below).  It tells the recipient to click on a link to a malicious web site that mimics UVM web pages, and solicits personal information, such as email username (Network ID) and password. This solicitation, and others like it, are phishing scams.  Do not click the link in the email. 

If you have already clicked on the link in this message, or one like it, please change your UVM Network ID password immediately, using the secure online form at www.uvm.edu/account/, or hackers, identity theives, spammers, and criminals will have complete access to your confidential UVM information. Please call the Help Line at 656-2604 if you need assistance.

How would I know this message is a phishing scam?

Although the message appears to come from UVM, you would be able to tell by viewing the full email headers that it is not from UVM.  More importantly, you can tell by hovering your cursor over the link provided in the message that although it appears to go to a uvm.edu web site, it is really going to take you to svc130.wic021v.server-%0A%0Aweb.com/.  Also, there is no contact information, should you have questions or should you want to verify the legitimacy of the message. 

Its real purpose is to steal your password or cause you other grief through "social engineering" -- by luring you to a malicious web site. 

How would a message from UVM about my account differ from this scam?

UVM is requiring passwords for our Network-IDs to be changed at least annually, but as UVM implements that requirement, Enterprise Technology Services (ETS) is taking steps to ensure account holders that our communications are legitimate.   People who have not changed their Network ID passwords in over a year will receive reminders via email to do so.  Those reminders differ from most phishing scams in several ways:

• There was a broadcast email from a verifiable, trusted source explaining what was going to happen.
  
• Individual emails are being sent to people who need to change their passwords.  The messages include recipients' names, they come from a real person, they include a specific expiration date, and they explain how to verify authenticity (including a link to a news article on the uvm.edu web site), and they tell how to get help. 
• The Help Line (656-2604) can help people confirm that what they received is legitimate.
  
• UVM does not ask for passwords to be sent in email, but instead asks people to visit a uvm.edu web site.
  

University of Vermont officials should never request your password, and you should never provide your password to someone who asks for it.

What is a Phishing Scam?

The Anti-Phishing Working Group (APWG) explains that phishing "attacks use both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials."

APWG offers useful tips to help you avoid becoming a victim of phishing or pharming:

• Be suspicious of any email with urgent requests for  personal financial information
• Don't use the links in an email to get to any web  page, if you suspect the message might not be authentic
• Avoid filling out forms in email messages that ask  for personal financial information
• Always ensure that you're using a secure website  when submitting credit card or other sensitive information  via your Web browser
• Consider installing a Web browser tool bar to help  protect you from known phishing fraud websites
• Regularly log into your online accounts
• Regularly check your bank, credit and debit card  satements to ensure that all transactions are legitimate
• Ensure that your browser is up to date and security  patches applied
• Always report "phishing" or "spoofed" e-mails

Visit the following resources to learn more about phishing and pharming prevention,  scam advisories, and to report yourself as a victim of phishing or pharming:

• Anti-Phishing Working Group
• Privacy Rights Clearinghouse - Identity Theft:What To Do if It Happens to You
  
• Federal Trade Commission - New FTC Videos Help Consumers Spot Phishing Scams
• Department of Justice - Special Report on Phishing
• Government Computer News - Is a new ID theft scam in the wings?

What Does the Latest Phishing Scam Say?

Phishing scams are successful when they sound authentic, and are often customized to appear as though they come from a trusted source.  They often include a mix of real and bogus email addresses and web links (URLs).  Phishing scams often appear to come from UVM, although of course they do not.  

Update Alert

From: "The University of Vermont"<no-reply@uvm.edu> Date: September 25, 2009 12:35:11 PM EDT Subject: Update Alert Attention Member, Please click on below link to update your Email account. https://webmail.uvm.edu/horde/imp/ The University of Vermont