Fordham IT Warns About Malicious “Phishing” Emails

By KATHRYN FEENEY

Published: April 2, 2009

Several faculty members at Fordham have received “phishing” e-mails claiming to be sent from within the University Webmail system. Fordham IT is encouraging students and faculty to treat suspicious e-mail with caution and to seek help from IT upon encountering questionable mail.

“I received an e-mail inviting me to update information on my e-mail account—username, password, etc.,” said Eva Stadler, professor of English. “The sender had an official-sounding title that included the word Fordham. I was suspicious because of the nature of the questions asked [and] erased the message… Since I didn’t respond to the message, I am quite sure that my e-mail account has not been compromised.”

In an attempt to persuade unsuspecting faculty to provide their passwords, the phishing e-mail appeared to come from within the University. It said, “In line with our commitment to improve our Web service, all e-mail accounts for staff and students will be upgraded for migration to our new Web interface… Warning! Failure to confirm the information above will render your e-mail address deactivated from our database.”

Stadler said that she forwarded the suspicious e-mail to Linza Mostert-Tirado, secretary for the communication and media studies department. Mostert-Tirado sent out a department-wide e-mail alerting faculty about the mail. “Remember, the Golden Rule is: Fordham will never, ever ask for your password,” her e-mail stated. She urged faculty not to send their password or other information to anyone, as “[Fordham] cannot allow a breach of [its] security.”

Another recipient of the e-mail was Robert Moniot, associate dean at Fordham College at Lincoln Center (FCLC). Moniot said that “phishing” is classified as a social engineering scam, a type of malware that relies on fooling people into revealing sensitive information. The e-mail will either request the information directly or ask them to click on a link that claims to re-route them.

“Even if you are fully protected, with all necessary patches and firewalls installed, if you click on a link [in a phishing e-mail] none of that will help you,” Moniot said.

Shannon Ortiz, director of IT security, said that there have been 35 reports of encounters with problematic e-mails since September, but there may have been more that went unreported.

Moniot said that there are some common characteristics of this type of phishing e-mail that students should be wary of. The first sign is when any person or organization asks for sensitive information.

“No legitimate institution is going to ask for your password or social security number through e-mail,” Moniot said. He said that phishing e-mails often include grammatical mistakes and are addressed anonymously, such as “Dear User.” He said, “When Fordham e-mails you, they will use your first and last names.”

Rev. Michael Tueth, S.J., associate chair of communication and media studies at Fordham College at Lincoln Center (FCLC), also received the e-mail. Not knowing what it was, he asked Mostert-Tirado for her advice, and she explained the nature of the letter.

“Linza said that the tell-tale sign was that they asked for my password, which legitimate e-mails never do. I am so glad that she caught it, and I don’t think that my e-mail has been compromised because I did not answer it,” he said.

Oritz said that he has started a blog available through the Fordham IT Web site where he posts copies of all the illegitimate mail that is reported to the IT help desk. He said that he encourages students to check the blog frequently to stay up-to-date on what kinds of phishing and spam scams are being sent to Fordham accounts.

Ortiz said that Fordham IT plans to hold training sessions for faculty and staff on how to spot and avoid e-mail scams sometime in the near future and eventually have one for students as well. For now, he urged students to seek help whenever they encounter something unfamiliar or suspicious in their inboxes.

“Call the IT help desk; it is always better to err on the side of caution,” he said. “If it looks fishy, it probably is fishy.”