Q: How does phishing work?
A: Phishers try to make themselves look like someone you trust so that you give them private information. For example, you receive an email containing your bank's logo with instructions to go to a website that looks like your bank's website and enter your account number and PIN to "verify your account." The phisher's hope is that you will assume the presence of the bank's logo means the request is legitimate.

Something similar happened recently at Lafayette when a phisher emailed students claiming to be from ITS. The message included several official Lafayette logos and instructed students to provide their Network ID passwords or their accounts would be disabled.

Note that no legitimate organization will ever ask for your password or PIN. Accepting this as fact is your single best defense against phishing.

Q: What are the primary dangers associated with phishing?
A: Successful phishing results in identity theft. If someone has your personal information, s/he could access your financial resources or apply for other resources in your name.

If a phisher has your Lafayette email credentials, s/he could use your account to send spam or more phishing email. Most phishers don't want to read your email, but they do want to use your email account to send spam. If your account becomes an origin for spam, it can result in your address being "blacklisted" by other mail servers so that you cannot send mail to others. Some mail servers just blacklist the entire domain, which would mean all mail from all Lafayette email accounts would be rejected.

Q: How can you detect phishing? What should you look out for?
A: Phishing attempts come in the form of emails, phone calls, and other types of correspondence that ask for personal information. If you receive a request for personal information from an entity that you think might actually be legitimate, instead of providing it at the time of request, contact the entity at a known number or address (e.g., get the information from a statement or bill).

Many modern web browsers and email clients contain anti-phishing features. While these systems are useful at protecting you from phishing attempts, they are not 100% effective. So remain mindful when asked to divulge personal information.

For more information visit the Federal Government's site for warnings on what to look out for: http://onguardonline.gov/phishing.html

Q: What is ITS doing to prevent phishing?
A: Email-based phishing is a form of spam and we manage spam for you. Ninety percent of the mail bound for lafayette.edu is spam that you never see because we have a good spam filter. However, no spam filter is perfect, and spam occasionally will make it through. All Lafayette email users are free to adjust how the filter works for their account; information is available at http://its.lafayette.edu/help/proofpoint.

Q: I believe I have been phished. What should I do?
A: Change whatever credentials you gave out immediately and report the incident to the institution that requires those credentials. For example, if you gave your PIN and bank account number, change your PIN and call your bank. If you have provided your Lafayette Network ID to someone whom you believe to be a phisher, see Identity Theft and Network ID Compromise.

Q: Is there any way to prevent phishing?
A: Not really, just as there's no way to prevent 100% of spam. But ITS recently applied a new type of filter for blocking phishing scams. It has captured many phishing messages that might otherwise have gotten through, however, there is still a possibility that a phishing message will get past the filter. So questioning those who ask for your information is still the best defense against phishing emails. And remember that no legitimate organization will ever ask for your password or PIN.