The Information Security Office has recently seen an increase in the number of BGSU email account holders responding to “phishing” email messages.  This activity by BGSU email account holders warrants a specific message about phishing activity and serves as a reminder to all users that all accounts are important to overall University security and reputations.

Q:  Will Information Technology Services (ITS), the Office of the Chief Information Officer (CIO), or the Technology Support Center (TSC) ever ask for a password by email?

A:  NO!  You will never be asked to provide private information by email including any of your account passwords.

Q:  What is phishing?

A:  Phishing messages normally arrive via email and are designed to gather information. They may appear to be legitimate such as from a university (help desk or specific IT related department), a bank, eBay, Paypal, or Internet service provider (ISP) or they may urgently request you click on a link. They are deliberately designed to attempt to obtain personal information such as usernames and passwords, credit card or bank account information by masquerading as a user or entity the user trusts. 

Q:  What does a phishing message look like?

A:  Examples of phishing messages received by BGSU email account holders are available at:

      http://www.bgsu.edu/offices/cio/page24161.html

Q:  What should I do if I receive a phishing email message?

A:  BGSU email account holders are advised to ignore and delete the message.  Above all users are advised - DO NOT REPLY.

Q:  What should I do if I have replied to a phishing email message?

A: If you have replied to one of these messages, please immediately change your password using the instructions found at: 

       http://www.bgsu.edu/its/tsc/self-help/page9443.html. 

Q:  I have a message that I am not sure is a phishing message, what can I do?

A:  Any email message that you are questioning may be directed to abuse@bgsu.edu for verification. Phishing “warning signs” are available for your reference at: 

       http://www.bgsu.edu/infosec/page56691.html . 

Q:  Why would someone try to obtain my BGSU username and password?

A:  Many phishing scams are trying to coerce you into giving out your username and password so they can access your email and send out spam that looks like it is coming from you.  They do this in hopes that someone who sees the email message form you will then click on their fraudulent link and provide some private information such as a credit card number or other personal information.

Q:  What can happen if spam messages are sent from a university’s email address?

A:  As a result of the volume of spam originating from these compromised accounts, the entire university community is vulnerable to being “blacklisted” by other external ISPs.  If BGSU is blacklisted by an external ISP recipients of that ISP (such as Gmail, Hotmail, Yahoo, AOL etc.) block all email originating from bgsu.edu.

Q:  Why does the university do to prevent these phishing scams?

A:  Many precautions are in place to catch and/or prevent unsolicited emails messages and work continues on catching the scams early.  However, all users are advised that in some instances the messages do get through and users should be extremely careful when dealing with them.  When one account is compromised, everyone is affected.  Members of the university community are encouraged to be aware of issues related to phishing and other Internet scams.  The best protection from phishing is education and diligence.  There is no technology solution to totally prevent it. 

More specific information about security, including phishing, is available at the Information Security web site:

      http://www.bgsu.edu/infosec and any questions may be directed to infosec@bgsu.edu .