A few years ago, researchers at Harvard University and UC Berkeley published a rather interesting study about phishing. After running a usability study to see how well people can detect phishing attempts, they found that:

23% of the study's participants did not look at the address bar, status bar, or the security indicators

68% proceeded without hesitation when presented with popup warnings about fraudulent certificates

90% were fooled by good phishing websites.

Neither education, age, sex, previous experience, nor hours of computer use showed a statistically significant correlation with vulnerability to phishing.

To make matters worse, the study's participants were actually trying not to get tricked. "Our study primed participants to look for spoofs," the researches explain, "thus, these participants are likely better than 'real-world' (un-primed) users at detecting fraudulent web sites."

Clearly, phishing is a very serious problem and anyone, anywhere could be vulnerable. Jeff Anderson, the CIO of Auburn University at Montgomery, knew this, and sent out an email warning all students and faculty to be on the lookout for phishing activity.

From: Jeff W. Anderson, Ph.D.

To: Everyone

Priority: High

Subject: Email Phishing Warning

We have noticed an increase in phishing attempts, similar to the message below. AUM will never request that you provide you user name and password in an e-mail. You should not provide any private information, including passwords, through e-mail. Here is an example of a recent phishing attempt: ------------------------------------------- Subject: ATTENTION: EDU WEBMAIL SUBSCRIBER: ATTENTION: EDU WEBMAIL SUBSCRIBER: This mail is to inform all our {EDU WEBMAIL} users that we will be upgrading our site in a couple of days from now. So you as a Subscriber of our site you are required to send us your Email account details so as to enable us know if you are still making use of your mail box. Further informed that we will be deleting all mail account that is not functioning so as to create more space for new user. so you are to send us your mail account details which are as follows: *User name: *Password: Failure to do this will immediately render your email address deactivated from our database. Your response should be send to the following e-mail address. (end of phishing example) ------------------------------------------- Other phishing attempts include messages that appear to have been sent from financial institutions or companies such as Microsoft. Your financial institution will never ask you to provide your account information through e-mail, and Microsoft does not send out updates through e-mail. When you receive these types of messages, you should delete them and not respond. It is also a good practice to avoid clicking on any links in suspicious e-mail messages. If you feel you have been a victim of a phishing scheme regarding your AUM account, please contact the ITS Help Desk at 244-3500 or helpdesk@aum.edu Thank you, Jeff W. Anderson, Ph.D.

Chief Information Officer

Auburn University - Montgomery



Obviously, a single email won't prevent all phishing scams -- especially the advanced variety that links convincing websites -- but it should at least remind people to never, ever email their password. Right?

Not so much. A few days later, Jeff was forced to send an update to his previous email.

From: Jeff W. Anderson, Ph.D.

To: Everyone

Priority: High

Subject: Phishing Update

I would like to stress, again, that you should NEVER send your user name and password to ANYONE through email. If you receive a request for this information, it is most likely an attempt to use your account for fraudulent purposes. In my previous alert, I included the text of a phishing email as an example. Some students misunderstood that I was asking for user name and password, and replied with that information. Please be aware that you shouldn’t provide this information to anyone. If you do receive an email requesting your credentials, please call the help desk at 244-3500, or forward the email to helpdesk@aum.edu. Do not reply to the message, even if it states that you account will be disabled. I apologize for the confusion. Thank you, Jeff W. Anderson, Ph.D.

Chief Information Officer

Auburn University - Montgomery



Thanks to AUM student Justin for passing this along