Phishing - Don’t Get Scammed!
Beware of Advanced Fee Fraud (AFF) Attacks
What is advanced fee fraud?
Advanced fee fraud (AFF) works by enticing victims with offers that seem too good to be true, such as free items, job opportunities, or lottery winnings. The scammers ask the victims to pay an upfront fee to cover costs like shipping, processing, or taxes, with the promise of a larger reward later. Once the fee is paid, the scammers disappear, and the victim never receives the promised benefit. These scams often require payments through online transfer services like Zelle, Cash App, PayPal, Apple Pay or cryptocurrency. Learn more about this scam: Scammers are playing college kids with free piano offers.
Announcements
- To report a phishing email or if you have a question about the authenticity of an email, please forward a copy of it to abuse@umb.edu.
Take the UMass Boston recommended Department of Defense Phishing Certification course for free!
UMass Boston is a ripe target for people trying to steal passwords, credit card numbers, and other personal information. When you get an email or webpage asking for your password/info, to click on a link, or to view an unsolicited attachment -- BE CAREFUL -- it could be a phishing scam!
How can you tell? There’s not always an easy answer! The best advice is:
Educate yourself, Trust your gut, and Verify!
- “Educate Yourself!” – Learn about phishing tactics such as masking URLs and spoofing email addresses so you can more easily spot a fake. See "Learn More" and How to Protect Yourself below for some options!
- “Trust your Gut!” – Develop a healthy suspicion of emails and webpages asking for your password and other personal info. Phishing emails often try to convey urgency, with lines like “Act quickly” or “Account closure” and can sometimes even be spoofed to look like it’s coming from someone you know, or even UMass Boston IT. Make sure the link points to a legitimate address, and remember: your password is as sensitive as your credit card. Only enter it on known UMass Boston services such as Wiser, Blackboard, and email.
- “Verify!” – When you get that “phishy” feeling, check to make sure it’s a legitimate request or webpage. If you personally know the sender, contact them by phone or in person, or forward the email to abuse@umb.edu and ask if it’s legit. If you do not know the sender, forward the email to abuse@umb.edu to check legitimacy.
If you know you're dealing with a phishing message, please delete it without clicking any links.
Learn more:
- Check out the UK Parliamentary Digital Service’s Video on Phishing
- Take the DOD Phishing test
- Advanced phishing techniques to be aware of
Phishing, Scams, Adware, Spyware
Phishing and other scams are serious business. If you fall for an online scam, you risk exposing your personal or financial information and could cause the University's online services to be blacklisted. Read on for information on how to protect yourself.
What do the words mean?
- Adware is software that has been installed on your computer by a remote site and continues to generate advertising even when you are not running the originally desired program.
- Phishing is email fraud where the perpetrator sends out legitimate-looking emails that appear to come from well known and trustworthy websites in an attempt to gather personal and financial information from the recipient. UMass Boston users are kept up-to-date about such attempts. A phishing expedition, like the fishing expedition it's named for, is a speculative venture: the phisher puts the lure hoping to fool at least a few of the prey that encounter the bait.
- Spam is unsolicited email on the Internet. Spam is roughly equivalent to unsolicited telephone marketing calls, except that the user pays for part of the message since everyone shares the cost of maintaining the Internet. UMass Boston’s constantly updated spam filter blocks most junk mail.
- Spyware is a general term for a program that surreptitiously monitors your actions
Introduction
Phishing activities are on the rise. According to the recent Phishing Activity Trends Report from the Anti-Phishing Working Group (APWG), the total number of unique phishing reports submitted to APWG in January 2008 was 29,284, an increase of over 3,600 reports from the previous month. Almost every day, newspapers, blogs and RSS feeds carry the sad tales of lost identities and pilfered life savings.
What is Phishing?
Phishing attacks are attempts to trick you into giving away your money or personal data to criminals pretending to be someone else, like an online vendor or your bank. According to the Anti-Phishing Working Group (APWG):
Phishing attacks use both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials.
Social-engineering schemes use 'spoofed' emails to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as credit card numbers, account usernames, passwords and social security numbers. Hijacking brand names of banks, e-retailers and credit card companies, phishers often convince recipients to respond.
Technical subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using Trojan keylogger spyware. Pharming crimeware misdirects users to fraudulent sites or proxy servers, typically through DNS hijacking or poisoning.
Anatomy of a Phish
Want to see a cautionary example of a phishing scam a student on campus encountered?
Read our article on the Anatomy of a Phish to learn how these attacks can play out and what to watch for.
Your vigilance is key! If you spot something suspicious, ask us! We're here to help. By forwarding suspicious emails or reporting questionable communications to abuse@umb.edu, you can help us keep everyone safe.
How to Protect Yourself
You can improve your odds of avoiding the headaches associated with phishing by following the steps listed below.
The simplest 1-2-3 advice is: 1. Be wary 2. Stay vigilant 3. Use common sense. For a few specifics, follow this APWG list of tips to prevent being hooked by a phishing attempt:
- Be suspicious of any email with urgent requests for personal financial information. Even seemingly innocuous links like unsubscribe can be malicious links that generate a phishing process.
- Don't use the links in an email, instant message, or chat to get to any web page if you suspect the message might not be authentic or you don't know the sender or user's handle.
- Avoid filling out forms in email messages that ask for personal financial information.
- Always ensure that you're using a secure website when submitting credit card or other sensitive information via your Web browser.
- Remember not all scam sites will try to show the "https://" and/or the security lock. Get in the habit of looking at the address line, too. Were you directed to PayPal? Does the address line display something different like "http://www.gotyouscammed.com/paypal/login.htm?" Be aware of where you are going.
- Consider installing a web browser tool bar to help protect you from known fraudulent websites. These tool bars match where you are going with lists of known phisher websites and will alert you.
- Regularly log into your online accounts.
- Regularly check your bank, credit and debit card statements to ensure that all transactions are legitimate.
- Ensure that your browser is up to date and security patches applied.
- Report "phishing" or “spoofed” emails to the ITSD Service Desk.
- Get department of defense certified in the next 10 minutes - free
Read the article 10 Ways to Avoid Phishing Scams for more details.
Sharpen and Test Your Skills
There are several excellent tutorials to help you spot phishing attempts and learn how to avoid them, and quizzes to test your awareness of various phishing tactics. You may wish to check out one or more of the following listed here.
Take our recommended phishing certification course
Videos, Tutorials, and Quizzes