Binghamton University officials say it’s up to students to protect themselves after phishing scams put almost 100 BU e-mail accounts at risk this summer.
Phishing is a technique in which scammers pose as a legitimate organization in order to gain sensitive information and typically takes on the form of Web sites or e-mails. All types of businesses are at risk for imitation — from eBay to PayPal and banks — according to Mark Reed, associate vice president for BU’s Information Technology.
According to a study by Consumer Reports, over the last two years about 6.5 million consumers — roughly one in 13 households with Internet — have given phishing scammers personal information.
When a user receives a scam e-mail, the message usually asks the user to respond with a password or user name. The hackers also set up Web sites that copy an actual company’s site, and can look very much like the real thing, Reed said.
“They can be very sophisticated,” he said. “People keep falling for it.”
The particular scam BU officials advised students against over the summer appeared to be an e-mail from the “Binghamton Technical Support Team,” which sought user ID, password and birth date, and threatened to cut off service to those who didn’t reply.
After looking into the scam, Information Technology found that nearly 100 students had responded to it and were subsequently told to change their passwords.
Reed said this specific variation surfaced in Binghamton around April, and kept getting more and more sophisticated.
“They do look like real e-mails from BU,” said Student Association President Matt Landau. The SA also sent out an e-mail in July giving students a heads up.
After replying to the e-mail, students’ accounts were at risk for being used as mass spam engines — just one of many practices hackers use after obtaining the information. In other sorts of phishing scams a user’s identity can be stolen too.
Some of those affected often don’t even realize their accounts have been compromised, Reed said.
“There’s really not a way to warn everyone,” he said. “You just never want to respond with any personal information or anything you get on e-mail.”
Most companies are not going to send something asking for such personal information over e-mail anyway, he said. But if a message looks too convincing to decide, he recommends calling the company, and using some method other than e-mail.
To ensure a secure e-mail account, make sure the user ID and password are not identical, he added.
“Spammers doing this illegally have to keep moving from site to site, so it’s fairly ongoing,” Reed said. “Certainly other phishing scams not related to Binghamton are still pouring in.”