Office of Campus Information Security

• About OCIS
• Awareness & Training
• Campus Initiatives
• Downloads
• Report an Incident
• Contact Us
• 
• Individual Computing
• Secure Your Computer
• Protect Your Identity
• Copyright Infringement
• Handling University Data
• 
• Departmental Computing
• Risk Assessment
• Standards & Practices
• Tools & Forms
• IT Security Principles
• More Security Resources

Phishing/Email Scams

Phishing (also known as spoofing) is the act of attempting to fraudulently acquire sensitive information, such as passwords or credit card details, by masquerading as a trustworthy person or business in a seemingly official electronic notification or message, most often an email or instant message.

The email message looks so harmless. Posing as your credit card company, it alerts you to a problem with your account and urges you to respond immediately by clicking a Web link and verifying your account information. The email and Web site appear official, with all the familiar logos and corporate phrases. But they're bait, presented to fool you into divulging your personal financial information.

Identity thieves send out billions of phish messages every month, according to media reports. The Anti-Phishing Working Group estimates that 5% of those who receive a phish message actually respond. Financial losses are difficult to measure, largely because victims are unable to attribute unauthorized charges to phish messages.

Spam filters provide some defense against phishers by intercepting their messages, but the target is elusive. The best defense is the individual user. Because things aren't always what they seem to be, you should be skeptical about many emails. To play an online game that teaches you how to identify phishing attempts, visit http://cups.cs.cmu.edu/antiphishing_phil/.

How to Avoid Getting Lured In

Don't open email or attachments from unknown sources.
Many viruses arrive as executable files that are harmless until you start running them. .jpg file attachments have recently become a new format for spreading viruses.

Be wary of unsolicited messages.
Even though you may recognize the name of the sender, scam artists sometimes use these tactics to get personal information from you. Never give out your NetID, password, credit card or social security number in response to an unsolicited request.

Adjust your spam filters to ward off unwanted spam.
Read everything you ever wanted to know about Spam and learn how spam filtering can help reduce the amount of unwanted email in your inbox, as well as help protect you from malicious attacks. Or, go to the Online Help Desk and search Spam Filter to learn more.

Be suspicious of emails with urgent requests for personal financial information.

• If the email has no digital signature, do not respond. It might be forged or spoofed.
• Be leery of alarming statements that urge you to act immediately.
• Resist requests for usernames, passwords, account numbers and other identifying information.
• Beware of messages that are not personalized. Valid messages from banks and other legitimate sources usually refer to you by name.

Don't click the link.
Instead, phone the company or do an Internet search for the company’s true web address.

Do not provide personal information by completing a form in an email message.
Only provide it over the phone or on a secure Web site (look for a Web address that starts with https://, not just http:// and for a padlock icon in the corner of the browser window).

Make sure your browser is up to date and that current patches are applied.

To Report Phishing or Spam
To report general phishing emails, go to www.antiphishing.org. To report phishing emails that appear to be from within the UW-Madison campus, go to Report an Incident.

To report emails that appear to be spam, forward the email to is-spam@doit.wisc.edu. You can also submit the offending email directly through the WiscMail web client. Learn more about submitting misclassified WiscMail messages.