Fall 2013 Cyber Criminals Want to Steal from YOU! phish·ing ‘fiSHiNG’/ noun – the activity of defrauding an online account holder of financial information by posing as a legitimate company. Between November 2012 and July 2013, 400 EMU community members fell for phishing attacks and had their credentials stolen. Criminals use “phishing” to trick you into giving personal information that can assist them in stealing your money and identity. They use your trust and good nature against you. Please Think before you click any link received in an email. To help employees learn how to avoid phishing scams, about 950 EMU staff members received notification in July that they have been enrolled in a phishing education program from Phishme.com. The program runs from July 2013 through June 2014. The program delivers (educational) phishing messages to the enrolled employees each month. Those employees who “fall for” the fake phishing messages are immediately re-directed to an educational page that includes a short video. The intent of this program is to help educate staff members on how to avoid phishing messages based upon the typical characteristics of phishing messages. Phishing attacks can take many forms. Most phishing attacks are designed to trick the recipient into acting immediately by using an emergent issue as the focus and plays to our inherent desire to be good employees. Do not let that sense of urgency cost you! Think before you click. Is this issue legitimate? Was it mentioned in EMU Today? Is the issue mentioned on the web page of the office that supposedly sent the message? Does the link take you to a page other than the one listed? When you move your cursor over the link in your email does it direct you to a web site off campus? If you are unsure, press the Spam button in EagleMail and move on to your next message. If you do click on a link inside of an email consider the following: Do you see a login box? If the page asks you to login, stop and Think before you Type your password. Does the web page ask you for personal information (email, username, social security number)? Think before you Type any personal information at the request of an email message. One of the more recent phishing awareness email messages provided a fake “urgent” message regarding payroll. It provided a link to a fake EMU payroll web site and asked the users to login and provide payroll information. There were red flags that should have warned individuals that this was a phishing attempt. First, no information regarding this payroll change was listed on the university’s Payroll webpage. Second, the link did not send the recipient to an “emich.edu” site. Also, any phone calls to the Payroll Office would have informed the user this was not a legitimate issue. Finally, any phone calls to the I.T. Help Desk would have informed the user that this “urgent” issue was not a real concern and should be ignored. Even so, over 100 EMU employees responded with their passwords within the first 30 minutes. If you think you fell for a phishing attack, immediately change your my.emich password. If you need help changing your password, please contact the I.T. Help Desk at 734.487.2120. If the phishing education program is viewed as successful during the initial contract period, the Division of Information Technology will request funding and approval to expand the program to include instructional employees. Questions about this program can be directed to Rocky Jenkins at 734.487.3145. More information about phishing and cybersecurity awareness can be found at emich.edu/esafe.