Spam and Phishing continue to grow quickly, occupying nearly 90 percent of all e-mail messages received. Spam is unwanted advertisements, cluttering our inboxes. Phishing is more malicious, as it is a technique cyber criminals use to gain your trust by sending an official-sounding e-mail message or phone message, posing as a legitimate organization, like American University, a bank, or government agency. The goal of the Phisher is to inspire you to click on a link so your computer will become infected or to get you to provide your password, banking information, or personally identifiable number (PIN).
In May of 2010, a web site was created to look nearly identical to our mail.american.edu website. An e-mail was sent from a cyber criminal telling customers they needed to change their e-mail password, which included the link to the falsified mail web page. Nearly 40 people followed the link and put in their credentials.
Our most recent large attack occurred in March of 2011. In this instance, 1,000 people received an e-mail purporting to be from "American University Wachington DC". Unfortunately, just over 10% of the AU students, faculty, and staff who received that e-mail actually clicked on the link and provided their credentials. In several cases, the credentials were reused by the cyber criminal in an attempt to access sensitive data.
Fortunately the Office of Information Technology staff used their detective and protective measures to prevent further damage to the user and to University resources; however, Phishing and Spam are global issues and human issues that require each individual to Stop.Think.Click™
A Few Tips To Avoid Being Lured
If you are not expecting an e-mail or do not recognize the sender, delete it. Never open the attachment or follow the link. Another option is to use the phone to call and validate whether the message is legitimate.
Contact the Help Desk if you are concerned about the validity of an e-mail message that you have received.
Never provide passwords, banking information, or personally identifiable information, based on instructions sent to you via e-mail or an unsolicited voice mail message.
Put your cursor over a link in an e-mail to check the destination address. If it does not end in "american.edu", it is not an AU server.
Know that the Office of Information Technology will not request your account information (such as your password) by e-mail. If there is ever a problem with your account, we will ask you to contact the IT Help Desk to correct it.