ASIC and IMSS Warn Against Sophisticated Phishing Scams

Caltech, like most universities and companies, is a frequent target of phishing attacks and fraud scams. The Institute has seen a significant rise in the number of attacks and scams in the past year.

These increasingly sophisticated scams include sending a fake email that appears to be coming from a person in authority, such as the President, Chief Financial Officer, or a manager or director.  The email typically indicates an urgent need for the recipient to log in using a link provided in the message, and may require the user to provide other information, such as Social Security Number, home address, W-2 information from a payroll or human resources system, or other financial/private information.

Two such scams were successful at Caltech within the past month. Although we hear about these situations occurring daily in the news, it really hits home when it happens to our own Campus personnel.  In one case, after gaining access to an employee's email, the attackers ultimately were able to modify that person's direct deposit banking information.   In another, an employee was fraudulently convinced to buy gift cards on behalf of the scammers.

We all need to be more vigilant when we receive emails requesting that recipients click on a link and log in or provide financial or other personally identifiable information, even if the message appears to come from third-party vendors that do business with Caltech.  Avoid using links that came via email, but where it's necessary, first mouse over the link, or press and hold on a mobile device, to see where the link will take you before clicking.

We should also be aware that reusing the same password for your work and various personal accounts can exacerbate problems when an account is hacked on one site, and then used to gain access to another. Best practices recommend always using unique, difficult to guess passwords for different accounts. A password management utility can be helpful for keeping track of multiple passwords.

IMSS offers consultation and training for Institute personnel and departments, providing awareness of scam and fraud techniques to watch out for, and offering tips for identifying suspicious emails related to phishing scams, schemes to commit identity theft, or other attempts to compromise computing equipment and personal information.

For additional information on how to identify and avoid phishing scams, see the IMSS website: http://imss.caltech.edu/node/1399.

If you receive an email that you believe is suspicious in nature, DO NOT click any links in the email, and do not "unsubscribe" or acknowledge the email in any way.  Instead, please contact IMSS immediately by calling the Help Desk at x3500, by opening a Help Desk ticket online, or by emailing Information Security directly, at security@caltech.edu to obtain guidance and assistance.