This email went out to all University employees this morning:
I need to bring to your attention an urgent matter; I hope you will read this carefully and cooperate with our IT professionals.
In the past week, 18 employees of the university have fallen victim to an e-mail based scam often described as “phishing.” The purpose of the scam is to enable Internet spammers to acquire university network account access information, which is then used to send unwanted spam messages to recipients around the world. The scam messages sometimes appear as legitimate requests for information designed to enable Information Technology personnel to address a specific recipient’s need or concern. These messages request user name and password information. When one of our users responds to such a request, the security of the university’s technology resources are compromised, and the account information is used to generate tens of thousands of illegitimate e-mail messages in a relatively short period of time.
The impact of falling victim to one of these scams is extensive. The distribution of many thousands of spam e-mails from the university’s systems significantly slows down the processing of legitimate e-mail traffic. When spam messages emanating from the university are received by other e-mail systems, the recipient sites routinely (and often in an automated fashion) add the university’s systems to “blacklists,” sites from which e-mail messages are unconditionally rejected. In the past week, the university has been blacklisted by numerous organizations, including large Internet providers such as Comcast. Blacklisting has prevented many members of our community from exchanging legitimate e-mail with people and organizations outside of the university. Information Technology personnel have invested dozens of hours identifying compromised accounts, deleting outgoing spam messages as these are identified and working through the process of removing the university’s systems from numerous blacklists.
It is important to remember that the Office of Information Technology will never send out a message asking for anyone’s password via e-mail, over the phone or in person. IT receives many spam/phishing attempts on a daily basis. The Help Desk staff always posts information regarding the latest phishing attempt on the IT Blog located at http:/www.sju.edu/blogs/oit.
If you have already responded to one of these scams, you must immediately change your password from the Forgot Password link in the red login box located at http://my.sju.edu. You should also notify the Help Desk at email@example.com or 610-660-2920 so that IT can determine if your account has been compromised in any way. This is a very serious matter. A single compromised account could jeopardize the security of all SJU members. So we ask that you do your part by keeping your password private.
A good way to know that an e-mail is fake and not from SJU IT is to remember that employees of SJU will never ask you to provide your User Id and Password via email. When the Saint Joseph’s University Help Desk sends out a message to the community, it will come from the email address firstname.lastname@example.org. The message will also have the SJU Office of Information Technology header at the top and usually contain “IT Alert or IT Outage” in the subject line. There is also a standard Help Desk signature that concludes the IT Alert or IT Outage emails.
Maintaining the security and integrity of the university’s technology resources is a responsibility shared by every member of the community. Your attention to this serious matter is greatly appreciated.
Brice R. Wachterhauser, Ph.D.