UI warns of phony e-mails
May 1, 2006
University officials are warning that e-mails asking for account and social security numbers from University Employee Credit Union members are illegitimate attempts by scam artists.
E-mails that were sent out to potential credit union members warned that their accounts “may have been accessed by an unauthorized third party” and urged users to login to their online account at a phony Web site, which would then collect the information to be used by the scammers later. The Web site deceptively spoofs the look of the credit union’s online banking site. The scammers use the information submitted to create phony ATM cards to withdraw money from a member’s account.
Greg Anderson, executive vice president of the credit union, said a large amount of e-mails were sent out mid-March to seemingly anyone with an “@uiuc.edu” suffix, regardless of whether or not the person had an account with the credit union.
“They’re phishing,” Anderson said, referring to the practice of using the appearance of legitimacy to obtain sensitive information online.
In the most recent scam attempt, the e-mails were coming from Romania, and a hacked server in Hong Kong hosted the fake Web site. Anderson said that the credit union uses an Internet security firm to track back the fake e-mails and works to shut down the scammers’ operations.
Get The Daily Illini in your inbox!
“There’s no case where we or any other institution would be saying please verify your account number, your pin number or something,” Anderson said. “Once you step back and look at it a bit you say, ‘well, that’s kind of preposterous that the financial institution would contact me and say put in your credit card number.'”
Several dozen members of the credit union had reported they had fallen for the scam, Anderson said, and the credit union responded by blocking the credit cards of the members and issuing new ones.
Campus Information Technologies and Educational Services has been able to catch and block phishing e-mails through its spam filters once phony e-mails are reported to them, said Mike Corn, director of security services and information privacy for CITES.
“It’s never perfect and you can see we’re always playing catch-up,” Corn said.
Once a new spam or phishing e-mails is caught, it is added to the anti-spam engine, which is updated two to six times a day, Corn said, warning people to be cautious and skeptical.
“I think we’re in a time where more and more people are more comfortable with doing things online,” Anderson said. “Their defenses just get down.”