Stanford offers tips for blocking email 'phishing' attacks

Information security is everyone's responsibility. IT Services is offering updated guidance on how to help prevent email-based attacks on Stanford's systems.

Campus officials have a strong message for everyone who uses Stanford email systems: It's time to get serious about stopping phishing. And it's everyone's responsibility.

A phishing attempt is an email that seeks to lure the recipient into divulging passwords, financial account numbers or other personal information, or into going to a website rigged to commandeer the recipient's computer. While some of these emails are easy to identify, many are difficult to discern because they appear authentic down to the last detail.

Being tricked by one of these emails doesn't just make one's own personal information vulnerable. It puts the security of the entire university at risk because of the potential for scammers to gain access to systems inside the university's firewall. Gaining this access makes it easier and quicker for scammers to launch additional cyber-attacks, and it may compromise others' personal information stored in university systems – a grade sheet for students, a salary worksheet for employees, or other data.

"Our information security systems at Stanford are only as strong as their weakest link," President John Hennessy said. "Even if you think you have nothing of importance on your computer, you make Stanford's entire network more vulnerable when you click on a link in a phishing email. All of us – faculty, staff and students – need to become hyperaware of these attacks and take steps to ensure they do not succeed."

IT Services is providing the campus community with updated guidance for recognizing phishing attempts, including the "anatomy of a phishing email."  Examples of recent phishing campaigns are on the IT Services website as well.  

Here are four key pieces of advice for all Stanford email users:

1. Get into the habit of looking carefully at your email.

Don't assume that because an email appears to come from a Stanford office, or even from a colleague or friend, it is necessarily legitimate. With the increasing sophistication of phishing attacks, many scammers can mimic the appearance of an email from a Stanford department, a financial institution where you are a customer or another source.

Consider particularly suspicious any unsolicited emails asking you to "verify your account," "confirm your password," or otherwise share personal information. Other features to watch out for in emails include unfamiliar "from" email addresses, threats about your account status and requests from a foreign country for financial assistance. An email seeking assistance may even appear to be from a friend or family member, but it may be a case in which someone has penetrated that person's account and is using it to defraud others. If you are inclined to respond to the request, do so by phone.

2. Don't click on links in emails unless you are confident they are legitimate. Better yet, go to a website by typing its URL into your browser rather than clicking on a link.

A link in a malicious email may take you to a web page that is infested with malware or that tries to obtain your personal information. Do not enter your Stanford username, password, or two-step authentication code on any webpage except Stanford's WebLogin page. To verify that you have not been directed to a fraudulent WebLogin site by a malicious email link, always confirm that the URL appearing in your web browser's location bar begins with exactly ""

Be aware that scammers can make the link you see in an email appear different from the actual underlying web address. Even if a link in an email appears to contain "" within it, don't automatically trust it. If you hover your mouse over a link, the actual URL will be displayed in a popup window or at the bottom of your browser window.

A better approach than clicking a link in an email, even if you are not suspicious of the link's authenticity, is to go to the relevant website by entering the URL in your browser manually. For instance, if you want to change your password for your SUNet account, go to the Accounts page on the Stanford website rather than following a link in an email, which in some instances could be malicious.

3. Be cautious about opening email attachments.

Attachments can contain malicious software that compromises your computer when opened.  An attachment may appear to be a benign document type, such as PDF, but is actually a virus in disguise. For instance, an attachment may be named "looksOK.pdf     .exe," in hopes that the recipient will believe the document is a PDF rather than an executable file with an ".exe" extension.

One type of virus that is increasingly prevalent, called "ransomware," encrypts the files on your computer along with those on any network file shares accessible by you from that computer, then sends you a notice demanding a large sum of money for the decryption key. This form of infection is highly disruptive to those affected, and massive amounts of valuable data can be irretrievably lost.

As a recent security enhancement at Stanford, for all inbound and outbound email, attachments commonly associated with malicious software are now being blocked automatically. Affected inbound messages are delivered with an explanatory note in place of the attachment, and outbound messages are rejected with an error message.

4. When in doubt about an email, stop and confirm.

If appropriate, contact the colleague whose signature is on the email to confirm that he or she sent it. Or, contact the IT Service Desk at (650) 725-HELP or submit a HelpSU request on the Stanford website if you wish to report or get assistance with a possible phishing attempt.

The university is pursuing a range of other initiatives to further strengthen information security. Two-step authentication was recently deployed for all SUNet accounts, which provides extra protection for the university's web-based services and reduces the risk posed by phishing. Two-step authentication will be integrated into additional systems such as VPN (Virtual Private Network) in the coming months. In parallel, the Information Security Office and IT Services are evaluating products and exploring additional mechanisms to improve filtering of phish and spam for incoming email messages.