Just say 'no' to emails requesting Stanford usernames and passwords

Internet scammers are trying to pry confidential information from Stanford faculty, staff and students by sending them emails – disguised as university mailings – asking for SUNet IDs, passwords, birthdates, Social Security numbers and phone numbers.

L.A. Cicero Phishing Scam

In response to a recent spate of phony emails, Stanford's Information Technology (IT) Services staff would like to remind everyone that the university will never ask faculty, staff or students to reveal their usernames or passwords in an email.

The fraudulent emails, which are created by Internet scam artists, are cleverly designed to trick people into responding.

Some phony emails lull recipients into complacency. One recent message sent to the Stanford community featured the innocuous subject line "Webmail users maintenance notice," and told recipients to send their user email ID and password to the fictitious "email Management Team."

Other fake emails use fear to elicit a response. An email that circulated on campus last summer carried the alarming subject line "Warning Notice!!!" and asked recipients to send their SUNet ID and password to a phony "upgrade team" to avoid having their email accounts "terminated immediately."

In computer lingo, a mass fraudulent email mailing is called a "phishing attack."

"Most phishing attack email messages are filtered out by our anti-spam software, but since these types of messages are constantly changing as the phishers try to keep ahead of the spam blockers, there are sometimes messages that do get through to end users," said Matthew Ricks, executive director of Computing Services, which is part of IT Services at Stanford.

What should you do if you receive a suspicious email?

Delete it. Or, if you're unsure about its authenticity, you can forward it to Stanford's Information Security Office at security@stanford.edu for review.

"Do not click on links listed in an email that you think may be a phishing attempt," Ricks said. "Even if the addresses look like they go to the right place, it is very easy to make bogus web addresses that look valid."

To learn more about how to protect your computer and data from the risks of phishing and other attacks and scams, there is a self-paced online course available through STARS, titled Computer Security Awareness (ISO-0001).

For more information, Ricks recommended an article posted on the Federal Trade Commission's website, "How Not to Get Hooked by a 'Phishing' Scam," and an article on online safety posted by Microsoft Corp., "How to recognize phishing e-mails or links."