Phishing for Trouble: Officials Use Humor to Promote Cyber Security

October 6, 2009 — If you see someone strolling around Grounds this month in a fish costume, think of your computer.

Listen to the UVA Today Radio Show report on this story by Marian Anderfuren:

That someone is likely Karen McDowell, an information security analyst at the University of Virginia's Information Security, Policy, and Records Office. She spells the name of her costume "p-h-i-s-h," after the computer "phishing" scams that seek to trick the unwary into giving away personal information – and potentially a good portion of their savings.

October is National Cyber Security Awareness Month, the time of year when McDowell breaks out the phish costume and hands out computer security literature. But there are serious events planned as well.

A kickoff event will be held Thursday at 11 a.m. in the Newcomb Hall South Meeting Room, with opening remarks from state Del. Rob Bell, who successfully sponsored a bill to strengthen Virginia's identity theft laws. His remarks will be followed by a presentation that includes specific suggestions for avoiding identity theft, and information about security issues relating to social media, computer and Internet security, and the coming rollout of an enhanced NetBadge system at U.Va. A free buffet lunch will be available to the first 40 attendees.

Similar presentations will be held on subsequent Thursdays, at staggered times: Oct. 15 at noon, Oct. 22 at 1 p.m., and Oct. 29 at 2 p.m. All are scheduled for the Newcomb Hall South Meeting Room; snacks and small prizes will be provided.

Phishing scams are a real problem on the Internet. Typically, they come in the form of an e-mail from an apparently trusted source that prompts the recipient to reply with personal data. Some phishing scams readily seem to be pretty "fishy" – an e-mail from a bank that holds none of the recipient's accounts, or the ubiquitous messages from Nigerian lawyers or European lottery officials claiming to be holding large sums of money for you, to be released once you provide an account number.

But such scams are becoming increasingly sophisticated, McDowell said. Last spring, several students reported having their bank accounts hit after they "confirmed" their account information based upon a request from a realistic-looking e-mail claiming to be from their banks; the complicated scam involved money traveling through Canada and China, abetted by hijacked computers in Los Angeles and Kansas, McDowell said.


Phishing scams are not limited to the Internet, either, she warned. There have been reports of automated phone calls, also purporting to come from your bank, saying that it is imperative that you "confirm" your account number by keying it in, she said.

But phishing is not the only hazard, said McDowell, who spends a lot of time monitoring the latest twists in the world of cyber scams.

Dangers lurk on popular social media sites like Facebook, LinkedIn and Twitter. For example, Facebook hosts third-party applications that can import the personal information of the user and of the user's friends.
"Nobody has any clue who put them up there or where they take you," she said. Such information could be used for nefarious purposes.

Similarly, Twitter users customarily convert lengthy URLs to shorter ones using one of the many URL-shortening sites before pasting them into a Twitter message, or "tweet," because such messages have a 140-character limit. But those compressed URLs also can mask the true source of the linked page, and take an unsuspecting Web surfer to a disreputable corner of the cyber world, she noted.

Then there's the "evil twin." Surfing wirelessly in the unsecured public networks that one often finds in coffeehouses and fast food joints has its hazards; that guy sipping his latte' with his laptop at the next table may be able to gain access to what you're doing, and steal your passwords and log-ins to sell on the black market, McDowell warned.

Asked for one suggestion that could help people survive the dangers that lurk in cyberspace, McDowell instead provides three. Only share personal information over the phone or the Internet if you have initiated the contact and are comfortable that you know with whom you are dealing. Never use a debit card online, because it puts you at risk of losing all the money from your checking account. And do not click on an e-mail link or attachment unless you are "absolutely certain" that its source is trustworthy; if in doubt, call the person who sent it to you first.

(Other tips are available at the Information Security, Policy, and Records Office security Web site.

The Internet can be so powerful and useful thatpeople often prefer not to think about the hazards. McDowell hopes that her phish costume offers a somewhat playful, humorous way to remind people to defend themselves.

While a few people she encountered last year were wary of being approached by a land shark, the ploy was mostly well received, she said. "Most people are pretty favorable and want to know more about it."