Phishing scams expose drawbacks of online convenience

Binghamton University’s Information Technology Services staff tries to minimize phishing — tech lingo for outside attempts to gleam personal information — but the commonality and range in which these scams occur mean the ITS faces a continuous fight.

Phishing is a scam that usually comes in the form of e-mails designed to deceive recipients into providing personal information that can be used to gain access to online accounts and to be used in identity theft.

The scammers typically pose as a financial institution, like a bank, a government agency like the IRS or even an IT department like Binghamton’s own help desk service.

According to Mark Reed, associate vice president of ITS, these types of messages claiming to be legitimate and professional institutions typically function in two distinct ways.

The phishing e-mails can threaten recipients with warnings that an account owned by a user is at risk, threaten to cancel accounts if the user fails to respond and even offer tax refunds and other benefits if responses are provided.

“The information requested may include credit card number, Social Security number, ATM PIN number, password or other personal information which can be used to gain access to the user’s financial accounts or identity,” Reed said.

In some circumstances, the user is asked to provide this information via e-mail. Other times they will be directed to a website that mimics the website of a legitimate organization. Once the victim of the scam logs in, his/her information is in the hands of the phisher.

Reed said, however, that it can be difficult to head off the attacks before they happen.

“There is not a lot the University can do, they are extremely common and come quite often,” he said. He also said that there is no way for the University to track phishing, so they do not have statistics on precisely how prevalent the scams are.

To combat them, however, legitimate companies have cut down on using e-mails to contact its users for personal information, and they often urge users to verify information through other means.

“The rule of thumb is never respond to e-mails with personal information and find how to contact these businesses from another source,” Reed said.

According to Anthony Poole, assistant director for systems programming at ITS, the ITS aims to educate students on phishing.

“Really what we try to do is inform people of what phishing scams are and what they can do to prevent it,” Poole said.

Reed and Poole said that during the year, if they are aware of a particular scam that has had a wide distribution, students and faculty are notified through B-Line. If the ITS help desk receives a complaint, access to the phishing website will usually be blocked.

According to Poole, the switch to Gmail accounts in 2010 has reduced the amount of spam received.

“It probably did help,” Poole said. “Google is very good at identifying spam and probably better than we were.”

Despite the efforts to contain phishing, the University does not monitor people’s e-mails, a fact that can make students more susceptible to phishing scams.

“In the corporate world this is controlled more closely,” Poole said. “We are much more open. We don’t monitor for content at the University.”

To complicate matters, the University posts all BU e-mail addresses in an online directory, presenting full access to students’ and faculty’s personal contact information.

“It is potentially a problem,” Reed said. “There has always been some debate about whether to post them. In previous discussions, we have decided it is more effective.”

Students may contact the Registrar and request to have their personal information withheld from the public directory.

“In general these are transactions taking place in the background that may never come to our attention,” Reed said. “It is a price of doing business in a modern world.”