Office of Campus Information Security

• About OCIS
• Awareness & Training
• Campus Initiatives
• Downloads
• Report an Incident
• Contact Us
• 
• Individual Computing
• Secure Your Computer
• Protect Your Identity
• Copyright Infringement
• Handling University Data
• 
• Departmental Computing
• Risk Assessment
• Standards & Practices
• Tools & Forms
• IT Security Principles
• More Security Resources

Phishing/Email Scams

Phishing (also known as spoofing) is the act of attempting to fraudulently acquire sensitive information, such as passwords or credit card details, by masquerading as a trustworthy person or business in a seemingly official electronic notification or message, most often an email or instant message.

The email message looks so harmless. Posing as your credit card company, it alerts you to a problem with your account and urges you to respond immediately by clicking a Web link and verifying your account information. The email and Web site appear official, with all the familiar logos and corporate phrases. But they're bait, presented to fool you into divulging your personal financial information.

Identity thieves send out billions of phish messages every month, according to media reports. The Anti-Phishing Working Group estimates that 5% of those who receive a phish message actually respond. Financial losses are difficult to measure, largely because victims are unable to attribute unauthorized charges to phish messages.

Spam filters provide some defense against phishers by intercepting their messages, but the target is elusive. The best defense is the individual user. Because things aren't always what they seem to be, you should be skeptical about many emails. To play an online game that teaches you how to identify phishing attempts, visit http://cups.cs.cmu.edu/antiphishing_phil/.

How to Spot A Scam/Phishing Attempt

The message appears to be a legitimate communication from UW-Madison or another institution that asks you to take action of some sort (e.g., update account information).
Links and requests for information alone do not indicate a scam; it’s the type of information that’s being requested that should serve as an alarm. (See next points.)

The message contains an urgent request for personal financial information.

• Be leery of alarming statements that urge you to act immediately.
• Resist requests for usernames, passwords, account numbers and other identifying information.
• Beware of messages that are not personalized. Valid messages from banks and other legitimate sources usually refer to you by name.

The message asks for your NetID, password or other "restricted" data (i.e., SSN, account numbers, health information).
DoIT will never ask you to reveal your NetID or password, or other restricted data, through email, phone, text or other means. You may be asked to change or strengthen a password, but you will never be asked to disclose it outright. We are also working with other campus departments to find alternate means for requesting restricted data other than through email.

The message has an unusual From address or an unusual Reply-To address.
DoIT does not use commercial Internet Service Providers to send email. If you get an email that appears to have come from the University that has a .com address, do not reply.

The message is not digitally signed.
A digital signature is an online verification that the sender is who it says it is, and these signed emails usually include a ribbon, envelope or pen symbol, or a "signed by" message in the window. If clicking the symbol results in a "signature is invalid" message, don't trust it. Please note, however, that the absence of a digital signature does not necessarily mean a suspicious email is a scam.

How to Avoid Getting Lured In

Don't open email or attachments from unknown sources.
Many viruses arrive as executable files that are harmless until you start running them. .jpg file attachments have recently become a new format for spreading viruses.

Be wary of unsolicited messages.
Even though you may recognize the name of the sender, scam artists sometimes use these tactics to get personal information from you. Never give out your NetID, password, credit card or social security number in response to an unsolicited request.

Adjust your spam filters to ward off unwanted spam.
Read everything you ever wanted to know about Spam and learn how spam filtering can help reduce the amount of unwanted email in your inbox, as well as help protect you from malicious attacks. Or, go to the Online Help Desk and search Spam Filter to learn more.

Don't click the link.
Instead, phone the company or do an Internet search for the company’s true web address.

Do not provide personal information by completing a form in an email message.
Only provide it over the phone or on a secure Web site (look for a Web address that starts with https://, not just http:// and for a padlock icon in the corner of the browser window).

Make sure your browser is up to date and that current patches are applied.

To Report Phishing or Spam
To report general phishing emails, go to www.antiphishing.org. To report phishing emails that appear to be from within the UW-Madison campus, go to Report an Incident.

To report emails that appear to be spam, forward the email to is-spam@doit.wisc.edu. You can also submit the offending email directly through the WiscMail web client. Learn more about submitting misclassified WiscMail messages.

If you are ever unsure whether an email message is legitimate, DO NOT RESPOND to it! Instead, contact the DoIT Help Desk (608) 264-HELP (4357) and ask for advice.