E-mail scams target students

A dire warning about the possibility of a security breach in a Citibank checking account screams for action in a student's e-mail account. After reading the contents in the official-looking e-mail, he is directed to a Web site that looks exactly like an official bank site, down to the domain name. \nThe e-mail says he needs to immediately fill out a form with all his account information, including his social security number, or the account might be breached and looted by hackers. In a panic, he quickly fills out the forms online with all of the personal information requested. The next day, he goes to his ATM and finds it completely empty, all his money taken by international con-men.\nThis is a scenario that is happening both at IU and nationwide with more and more frequency, said IU Police Department Detective Greg McClure. This example is the latest in a series of "phishing" e-mails that find their way into students' e-mail boxes daily. \n"The Web sites look really real and professional," McClure said. "They just send tons of these e-mails out hoping someone has an account at the particular bank they are claiming to be. Then, once they get the information they're looking for, they clean out the victim's account, or even take out credit cards in their names." \nOne IU student victim recently filled out the information the site asked for and found his bank account completely empty the next day, McClure said. \nAn IU researcher has taken an interest in both the frequency and sophistication of these phishing attacks, and has come up with some alarming scenarios, according to a statement. Informatics Associate Professor Markus Jakobsson's report was recently cited by Howard Schmidt, chief information security officer for eBay, Inc., in front of a U.S. Congressional Subcommittee, according to the release. \nIn the scenarios Jakobsson outlines a variety of new, more personalized attacks that have yet to be used by con-men, but could very well be in the works. Even without these personal phishing attacks, the e-mails being sent out are still taking people's hard-earned cash, including the money of many IU students. \n"Phishing is getting more and more prevalent," Jakobsson said, "and more aggressive." \nIUPD itself isn't immune to attacks.\n"I even receive those in my IUPD account," said IUPD Lt. Jerry Minger, who is astonished at the amount of these e-mails he has seen.\nThe scenarios detailing context-based attacks include the possibility of "phishers" pretending to be a victim's friend, business associate or family member in an e-mail. The message will state that the victim needs to fill out personal information on a Web site, and because the message is coming from someone the victim trusts, it will have a much higher success rate. The phisher can find personal information such as names of spouses, friends and business partners through networking Web sites, Jakobsson said. \nAlthough it is hard to say when these context-aware attacks could start, there has already been a lot of progress in the sophistication of phishing attacks. \n"The old ones didn't spoof people as well, or at all," Jakobsson said. "Some old ones had spelling errors. New ones are done by professionals." \nVictims of these phishing attacks also will find it hard to recover their money, as most of their accounts are accessed overseas, McClure said. Once the money leaves the United States, there is nothing local or state police can do because of jurisdiction issues, McClure said. The only hope the victim has of catching these thieves is the Secret Service, which investigates thousands of such incidents.\n-- Contact staff writer Mike \nWilson at mhwilson@indiana.edu.