As mentioned in the Information Security Basics web page entitled "E-mail threats, SPAM and phishing", phishing is an attempt by a malicious individual or group to trick you into providing personal information, such as passwords, bank account numbers, and credit card numbers, by crafting an e-mail message, that can look very official, from an organization to which you belong or with which you do business.
The presentation quality of the phishing attempt can range from a simple text message to one with an elaborate design involving organization logos, photographs, standard fonts and official looking signatures. And phishing is not limited to e-mail. Many people have given information to a phisher over the phone who is posing as an IRS agent. Regardless of the quality and technique used, most phishing attempts convince at least a few people to respond so that they avoid the consequences stated in the phishing attempt, e.g., "If you do not provide this information, your account will be closed."
The key thing to remember is: No reputable organization will ever contact you via e-mail, text, phone, etc., to obtain your password or other private information.
Nonetheless, if you find yourself among the millions of people who have responded to phishing and have exposed their personal information, you should perform the following:
- If the phishing message was directed to your UHCL e-mail account, report the incident to the Information Security Office through the UCT Support Center at extension 2828 or email@example.com.
- Reset any passwords that you may have exposed. If you use the same password across multiple sites, you need to reset them all. Remember to use a different password for each site into which you enter private, sensitive data so a compromise of one system does not turn into a compromise of many.
- If the information provided can be used to access any other institution, contact the customer service center of each affected institution.
- If you exposed any financial account information, such as your credit card or bank account number, report the incident to the financial institutions involved.
- If any piece of information was exposed that could be used to open financial accounts (e.g., your Social Security Number, date of birth, place of birth, mother's maiden name, bank account numbers, credit card numbers), contact any of the three major credit bureaus and ask them to lock your credit record and sign up for their credit monitoring service, a fee-based service that will automatically notify you whenever your credit record is accessed. When you lock your credit record, no other organization can check your credit without your permission. Here are the websites for the three major credit bureaus:
- The web sites of national agencies that deal with Internet fraud provide helpful information about dealing with identity theft issues: