Safe Computing
Phishing Scams
This page contains a number of resources to help you learn about the risks of email scams and to teach you how to recognize a scam email. Read on to learn how to foil the phisherman.
What are phishing scams?
Phishing is email fraud in which the perpetrator 
sends legitimate looking emails that appear to come from a well-known and trustworthy web site in an attempt to gather personal and financial information from a recipient. Be advised that NSIT will never request your password, nor will we ask you to change or "validate" your password at a site other than http://cnet.uchicago.edu. If you receive a message that asks for your CNet password, it is a fraudulent email. See the Phishing cartoon on the Security Cartoon website.
There are other methods related to phishing by which a scammer can gain personal information about a victim. One such tactic is known as pharming, and involves redirecting links and internet addresses so that they lead to fraudulent websites. These websites can look very believable, but are designed specifically to extract personal information from a victim who thinks the website is real. Pharming can be even more harmful and effective than phishing because the pharmer can use the fake website to install viruses and spyware on the victim's computer without any warning. See the Pharming Cartoon on the Security Cartoon website. Another tactic, sometimes called whaling, is a phishing scam that is specifically targeted at an executive or a group of executives. Often, the whaler does specific research about the victim of his attack in order to craft a highly convincing email.
What can I do?
If you are not expecting the email, don't open it. Don't reply or click on any images or links in the email message. Just delete the email message. If you suspect that the email might be legitimate, we recommend you call the person and verify. This has fewer consequences than assuming the message is legitimate and finding out too late that you were wrong. It is also helpful to learn to recognize fake URLs that were created for phishing purposes. Carnegie Mellon University has developed a fun, simple way to learn about fake URLs with an online interactive game. If you are unsure if an email is legitimate, ask yourself these questions before replying or clicking on a link. You can also visit the Security Cartoon website to learn more about potential dangers on the Internet.
Example of phishing scams
University administrators and NSIT personnel will never request your CNetID username or password by email. Any emails claiming to be from the University, NSIT, or the uchicago.edu team that ask you to give out your private information are scams. Look at our sample list of email scams on our Examples page. Some email scams also try to steal your personal information through ways other than email or online forms. For example, an email like this one requests credit card information by fax. Remember that your bank representative will never request your private information online, by phone, or by fax.
More examples can be found at Antiphishing.org, a phishing email archive database that keeps track of many different phishing emails that are reported throughout the year.
Can I report phishing scams?
Yes, you can report scams to a federal government website. They collect the information to build cases against any given attacker. Remember there are many attackers out there, and the federal government only has so many resources to go after them. The second link is an Anti-Phishing volunteer organization to fight phishing emails scams.
Learn More
Visit OnGuardOnline.gov for practical tips from the federal government and the technology industry to help you be on guard against Internet fraud, secure your computer, and protect your personal information. To learn more about identity theft and how to deter, detect, and defend against it, visit the FTC's Identity Theft website.
Last updated: 8/28/08