E-Mail ‘Phishing’ Can Lead to Identity Theft

  illustration by Todd Meagher

It could happen like this: you log into your e-mail in the morning and notice a message from a financial institution that you do business with. The e-mail is labeled “High Priority – Security Alert” and notifies you that someone has been trying to activate an account in your name. The e-mail asks for some basic information to confirm that the account is, in fact, yours and that you are the only person who should have access to it. You are asked for your social security number, account number, and password so that your information can be verified and your money protected. What do you do?

“People get that sort of e-mail message all the time, sometimes on a daily basis,” says Angie Wolf, director of I.T. planning and operations. “The important thing to remember is that in order to be taken in by one of these scams, you have to actively participate. If you are asked via e-mail to provide personal, confidential information—be suspicious!”

Virtually any time you give out your e-mail address, whether to make an online purchase or to join an organization or be put on a distribution list, that information begins to circulate on the World Wide Web. The same is true if your e-mail address is posted on an Internet server, like Trinity’s. “If you do business over the Web, eventually lots of companies are going to have your information,” explains Emmanuel Chang, distributed computing specialist. “Most of those companies are reputable but, just like regular, direct mail advertising, e-mail is a marketing tool.” Some companies actively buy and sell e-mail address lists, which they then use to market products. Much of the junk e-mail, known as spam, that winds up in our in-boxes is harmless advertising designed to get the user to buy something.

The practice known as “phishing,” however, has a different goal in mind. According to webopedia.com, an online encyclopedia dedicated to computer technology, phishing is “the act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft.” Frequently, the e-mail asks the user to update personal information, such as credit card numbers or social security number, which has supposedly been lost by the “legitimate” company. The perpetrators of this kind of fraud will have already set up a phony Web site to closely resemble that of the real company they are attempting to imitate.

“Spam in general is hard to stop because, no matter what filters we put in place, people figure out ways to get around them,” explains Wolf. “But most of it is just advertising. For a while, everyone was getting lots of spam about mortgages, so we filtered that word. But then the spammers started using the number “zero” instead of the letter “o” in the word or they’d leave a space between two letters, so the filter lets it through. Trinity runs a program called Brightmail that does all the cursory checks on e-mail messages, like blocking e-mail from known spam sites. Obviously, though, we don’t want to filter out e-mail that people might want—so some will always get through. Even though you will see some spam, you’re having a lot more blocked.”

The word “phishing” is, of course, a variation of “fishing” because the idea is that the scammers send out a lot of “bait” with the hope that some unsuspecting user will be tempted to bite. “It’s a numbers game,” says Chang. “If they send out 10,000 e-mails and get a handful of responses that include personal information, they’re making money. They wouldn’t keep doing it if they weren’t successful. The key for users is to always be aware of who you’re dealing with and never, ever, give out personal information to anyone who contacts you by e-mail. Call them on the phone and ask them why they need it. If it’s a bank, go to their office. And if a legitimate company actually loses your confidential information, you might want to think about not doing business with them anymore.”

Coming next month: How identity theft affected one member of the Trinity community.


 

back to top

Return to eQuad table of contents