Computer News No. 137 Jan.-Feb. 2009
|
|
Computer News No. 137 Jan.-Feb. 2009 |
From the Helpdesk - Beware of Fake Emails Asking for Personal Information
1. Phishing Attacks - Fake Emails Asking for Your Personal Information
"Phishing" (pronounced as "fishing") is the processing used by malicious attackers on the Internet attempting to acquire others' sensitive information such as usernames, passwords and credit card numbers for malicious purposes. "Phishing emails" are phishing spam that falsely claims to be from a legitimate organization.
These emails may deceive recipients as sending out from the Computer Centre or the University (e.g. from xxx@yyy.hku.hk) and ask recipients to supply personal information such as account name, password, identity card numbers, date of birth or lead them to malicious websites under a deceptive subject, for example, an important HKU alert.
Recently, a number of phishing email cases were recorded. The attackers sent out emails using forged HKU sender address (e.g. "help@hku.hk") or identity (e.g. "HKU Abuse Unit" or "HKU Maintenance Team") which appeared as if they came from HKU. We have immediately alerted University members not to respond to these fraudulent emails which intended to steal members' identity and account information.
As sender addresses or identities in any email messages can be forged, we would like to remind all members to pay special attention to the following:- The Computer Centre will NEVER send emails asking for confidential information such as account password to be submitted through a web site or by replying to an email;
- Always be cautious before giving out any personal and identity information via email or other channels to any party, in particular the request is from someone that you don't know;
- Even if you receive such an email request by someone whom you know, verify the legitimacy of the emails or web sites with the service provider's organization before respond or go into these suspicious web sites unless you are sure that it is the proper process to supply such information; and
- REMEMBER to change your password immediately if you suspect that you have already been defrauded (e.g. responded to phishing emails or supplied your personal/financial information to the fraudulent websites).
2. Protect Against Phishing Attacks
Be an alert computer user. There are recommendations from the Information Security website of the HKSAR Government (http://www.infosec.gov.hk/english/anti/protect_gen.html) which give useful advice on how to protect against phishing and spyware attacks:
Do's:
- Do open email attachment with extreme care. Always check the attachment's extension. Never open attachment with "pif", "exe", "bat" and "vbs" extension.
- Do avoid conducting online banking or financial enquiries/transactions from a public terminal or unsecured terminals such as those terminals in cafe shops or in libraries. Hacking or Trojan horse programs may be installed to those public terminals.
- Do type the URL manually or follow the bookmarks you have made previously when visit websites.
- Do pay special care when giving off sensitive personal or account information. Banks and most organisations seldom ask for your personal or account information through email. Consult the relevant organisation if in doubt.
- Do ensure that your computer is applied with the latest security patches and anti-virus measures to reduce the chance of being affected by fraudulent emails or websites riding on software vulnerabilities. This also helps to protect your computer from other security or virus attacks.
Don'ts:
Don't follow URL links from untrusted sources or emails such as spam emails to avoid being re-directed to malicious websites by malicious links looking seemingly legitimate.
Don't visit suspicious websites or follow the links provided in those websites.
Don't follow links to log on banking or financial organisations from search engine results.
Don't open other Internet browser sessions and access other websites while you are performing online financial transactions/enquiry through the Internet. Remember to print or keep the copy of transaction record or confirmation notice for checking.
Besides, we would also like to advise University members to pay more attention when using the social networking sites such as Facebook, MySpace, Friendster, etc. While these sites provide popular channels for people to communicate and share information, the personal information uploaded to these sites may not be protected completely from improper or unauthorized use. Members may wish to have a second thought before disclosing personal information on these sites as it could be a kind of potential security threat that could result in identity theft and other fraudulent activity, see for example the recent controversial Facebook's new Terms of Services.
|
|