Fall 2013
Cyber Criminals Want to Steal from YOU!
phish·ing ‘fiSHiNG’/ noun – the activity of defrauding an online account holder of financial information by posing
as a legitimate company.
Between November 2012 and July 2013, 400 EMU community members fell for phishing attacks and had
their credentials stolen.
Criminals use “phishing” to trick you into giving personal information that can assist them in stealing your money
and identity. They use your trust and good nature against you. Please Think before you click any link received
in an email.
To help employees learn how to avoid phishing scams, about 950 EMU staff members received notification in July
that they have been enrolled in a phishing education program from Phishme.com. The program runs from July
2013 through June 2014. The program delivers (educational) phishing messages to the enrolled employees each
month. Those employees who “fall for” the fake phishing messages are immediately re-directed to an educational
page that includes a short video. The intent of this program is to help educate staff members on how to avoid
phishing messages based upon the typical characteristics of phishing messages.
Phishing attacks can take many forms. Most phishing attacks are designed to trick the recipient into acting
immediately by using an emergent issue as the focus and plays to our inherent desire to be good employees. Do
not let that sense of urgency cost you! Think before you click. Is this issue legitimate? Was it mentioned in EMU
Today? Is the issue mentioned on the web page of the office that supposedly sent the message? Does the link
take you to a page other than the one listed? When you move your cursor over the link in your email does it direct
you to a web site off campus? If you are unsure, press the Spam button in EagleMail and move on to your next
message.
If you do click on a link inside of an email consider the following: Do you see a login box? If the page asks you to
login, stop and Think before you Type your password. Does the web page ask you for personal information
(email, username, social security number)? Think before you Type any personal information at the request of an
email message.
One of the more recent phishing awareness email messages provided a fake “urgent” message regarding payroll.
It provided a link to a fake EMU payroll web site and asked the users to login and provide payroll information.
There were red flags that should have warned individuals that this was a phishing attempt. First, no information
regarding this payroll change was listed on the university’s Payroll webpage. Second, the link did not send the
recipient to an “emich.edu” site. Also, any phone calls to the Payroll Office would have informed the user this was
not a legitimate issue. Finally, any phone calls to the I.T. Help Desk would have informed the user that this
“urgent” issue was not a real concern and should be ignored. Even so, over 100 EMU employees responded with
their passwords within the first 30 minutes.
If you think you fell for a phishing attack, immediately change your my.emich password. If you need help changing
your password, please contact the I.T. Help Desk at 734.487.2120.
If the phishing education program is viewed as successful during the initial contract period, the Division of
Information Technology will request funding and approval to expand the program to include instructional
employees. Questions about this program can be directed to Rocky Jenkins at 734.487.3145. More information
about phishing and cybersecurity awareness can be found at emich.edu/esafe.