Phishing attacks have been a problem for many years. Typically, hackers have sent messages asking members of our community to click on a link or reply to an email message with a password. Their goal has always been to trick our community members into giving them access to our accounts and information. Sometimes, they have pretended to be DoIT and sent messages to ask for your password or to tell you that there is a problem with your UMBC account.
Recently, the hackers have expanded their efforts and sent messages as people around our campus. They have been looking up the names and titles of UMBC community members on the Internet and then using that person’s name and title to request information. They try to choose a name or title that the community would trust. As examples, during recent attempts, they have requested information about how to wire money out of the campus and get people to send checks to outside addresses. They have also requested that people send them files containing the social security numbers of community members. In some cases, they have also impersonated UMBC vendors. In each of these examples, they have tried to make their phishing messages appear to come from a person that the campus would trust.
The hackers are motivated by money and resources and will continue to try to get to our accounts, information, and resources. The only thing that can stop them is the UMBC community working together to block their attempts. Here are some questions that DoIT frequently receives and the answers.
1. What information can’t I send in email?
No one should ever send passwords or confidential information in an email message.
Confidential information includes social security numbers, driver’s license numbers, passport numbers, and financial account numbers. This information is classified as confidential information under the policies of UMBC, the University System of Maryland, and the State of Maryland. Passwords and confidential information can never be sent through email. This includes the body of an email message and as an attachment to a message. For in depth information about our data classifications and use, please see the following two links:
UMBC Policy on the Definition and Classification of Sensitive Information
2. Will DoIT ever ask for my password?
No. In fact, DoIT doesn’t know (and has no reason to know) your password. The only person who should ever know your password is you. If DoIT needs to assist you with your password, we can help you to reset your password, but DoIT still won’t need to know your password. To help us maintain the privacy of your password, please make sure you have your account security questions enabled -- and make sure you know the answers. Please also ensure that you have an alternate email address registered with UMBC. If DoIT needs to send you a link to reset your password, we will send it to the secondary email address that we have associated with your account.
3. What should I do if I receive a suspicious message?
If you think that the message is asking you to do something that seems unusual, look up the phone number of the person the message is from in the UMBC directory, call the person, and ask them if they really sent the message. Do not call a person back at a phone number that is listed in the suspicious email message. The phishing message may include the phone number of the hacker. For example, if you get a message saying that there is a problem with your computer account and you aren’t sure if it’s a real message, please call the DoIT Technology Support Center (410-455-3838) and ask if it’s a real message. This also applies to any messages that might appear to come from Human Resources, Finance, Financial Aid, or any other department. If the message seems strange, trust your instincts, look up the correct phone number for the person, and call to verify the message.
4. What should I do with a message that I have determined is a phishing message?
Forward it to security@umbc.edu with “full headers” and as much information as you can. DoIT will review the messages that you forward, verify that they are phishing messages, and take steps to try and protect the rest of the community.
Once you forward any phishing messages to security@umbc.edu, please delete the messages, and very importantly, never click on the links in a phishing message. Just by clicking on the link in a phishing message, you may download a malicious program onto your computer.
5. Who do I contact if I have additional questions?
As a starting point, the following links may provide assistance.
UMBC “Phishing & Spam” FAQ Collection
Anti-Phishing Work Group (non-UMBC consortium of institutions fighting phishing)