Princetonians fall victim to phishing e-mails

The University briefly suspended the e-mail accounts of roughly 10 individuals as a result of a phishing scam that targeted the University during final exam period, University spokeswoman Emily Aronson said.

Over 2,000 University students, faculty and staff received the e-mail in question on Jan. 21. The e-mail claimed to be from “Princeton Webmail Support” and directed recipients to “reply to this message and enter your password ... or your Webmail account will be deactivated.”

Of the 30 people who responded to the e-mail, 10 submitted their passwords and as a result lost control of their accounts. OIT suspended the compromised accounts and contacted the users in question to reopen their accounts and reset their passwords.

“OIT responded immediately to prevent further delivery of the e-mail,” Aronson said. All users have now been reconnected with their accounts, she added. Likewise, OIT blocked all e-mails from the purported “Princeton Webmail Support.” It also prevented anyone from sending e-mails to princetonu@yahoo.com, the reply address of the phishing e-mail

Public Safety also responded to the scam and sent a Campus Safety Alert to Princeton Webmail users, warning them about the scam. The e-mail “appears to originate from outside the US, possibly from Nigeria,” Public Safety Deputy Director for Operations Charles Davall said, adding that the way the e-mail had been redirected from its original source suggested that country. It is likely that the scam was designed to obtain personal information that could facilitate identity theft, Davall said. The University will continue to investigate the scam’s source.

According to experts, this e-mail was part of a larger wave of scam e-mails targeting more than a dozen universities in January, including Columbia, Duke and Notre Dame. “We’ve seen large, small, and private institutions attacked,” Douglas Pearson, a technical director at the Research and Education Network, said in an article in SecurityFocus, a web publication that provides information regarding IT security.

As opposed to ordinary “spam” e-mails, which try to advertise products, this scam was a “phishing” attempt, which tries to trick recipients into divulging personal information. Sophisticated phishers often direct users to an official-seeming “spoofed” website that asks for sensitive information, such as credit card or social security numbers. Nationwide, it is estimated 1.2 million computer users suffer losses from phishing every year. Estimated losses total $3 billion.

Davall estimated that four to five phishing e-mails were sent to students last year, mainly targeting members of the Princeton University Federal Credit Union. “In the end,” he said, “it comes down to the individual user” to foil such scams. “Anytime you get an e-mail to change your password, be suspicious,” he said. “Contact the institution to be sure.”

Aronson concurred. “The University tries to respond quickly to monitor and prevent these e-mails,” she said. “Many don’t make it through the spam filter.” Nevertheless, end users are ultimately responsible: “The best defense is being aware and vigilant.”