Maintained for Historical Purposes

This resource is being maintained for historical purposes only and is not currently applicable.

Summary: Security Alert -- Protect Against Identity Theft and Other Scams

Publication Date: June 2006

Author: Katie Blot, Chief Information Officer

Summary: Security Alert -- Protect Against Identity Theft and Other Scams

Posted on 06-20-2006

We would like to take this opportunity to ensure that all of our Federal Student Aid partners are aware of the worldwide growing identity theft scams such as Phishing and Pharming.

Department of Education and Federal Student Aid users are not immune to these scams, and we urge you to review carefully the information and advice contained in this announcement and to share it with your staff as appropriate.

What is Phishing?

Phishing is a fraudulent, spoofed e-mail that looks like someone you do business with sent it. It will usually include official logos and look very authentic. The body of a Phishing e-mail may contain a message requesting that you update, validate, or verify your personal/Privacy Act protected information. The purpose of the e-mail is to get you to disclose personal/Privacy Act protected information such as PINs, social security numbers, account numbers, mother's maiden name, passwords, etc. Some e-mail may also contain links that take you to an "official looking" web site that set up a scenario in which personal/Privacy Act protected information is requested. These web sites may not be legitimate!

Protecting Against Phishing E-mails

To minimize risk to yourself, if you receive Phishing e-mail:

  • Never give out personally identifiable information in an e-mail or to a web site that has a link in an e-mail without validating it with the legitimate source.
  • Do not open email with attachments or enclosures if they are from unknown sources.
  • Do not reply to the e-mail.
  • Do not type or paste any information into the e-mail.
  • Do not click on any links contained within the e-mail from any unknown source.
  • Use an open source tool. There are many commercial as well as free open source tools that con protect one from Phishing. A web search for "spoof guard," "Phishing protection," and "password hashing security" will reveal many of these tools. SpoofGuard and Netcraft Toolbar are only examples of the numerous products available to the public.

What is Pharming?

Pharming is the next generation of e-mail phishing attacks. However, it is not spoofing an email, it is a URL that redirects you to a fraudulent URL without your knowledge. There are several methods the pharmer uses to accomplish this, all of which are very hard to detect. You might type a valid URL in your browser only to end up at a fraudulent site that looks just like the one you thought you were going to access.

Protecting Against Pharming

To minimize risk to yourself, if you receive a Pharming URL:

  • Use anti-virus software and a firewall. AVG and Zonealarm are only examples of the numerous products available to the public.
  • Ensure that your browser is kept up to date and security patches are applied.
  • Install a spyware detection and removal program. Ad-aware is only an example of the numerous products available to the public.
  • Consider installing a Web browser tool bar to help protect you from known fraud websites. IE 7 and Netcraft Toolbar are only examples of the numerous products available to the public.
  • Look for website privacy policies. Avoid doing business with any site that does not post its privacy policy.
  • Limit the number of websites and amount of personal information you share on the Internet.
  • Look for misspelled words and bad formatting. This may be an indication of a pharming site.
  • If a password is needed, enter an incorrect password first.
  • Use a reputable Internet Service Provider.

Reporting Phishing E-mails and Pharming

If you have already received or replied to a suspected Phishing e-mail that appears to be from the Department of Education, Federal Student Aid, or one of the Federal Student Aid systems or web sites (for example, the Common Origination and Disbursement (COD) web site) soliciting personal/Privacy Act protected information, please contact the Help Desk for that site so staff can investigate the e-mail. If you receive a suspected Phishing e-mail in the future, please also notify the Help Desk for that site.

If you have already received or replied to a Phishing URL or Pharming e-mail that does not appear to come from the Department of Education soliciting personal/Privacy Act protected information, you should contact the legitimate institution by telephone immediately and inform the institution of the e-mail. Attachment A provides additional information related to Phishing scams as well as additional guidance in protecting against them.

Resources

To assist you in protecting against Phishing and Pharming scams, we are attaching a document to this announcement for use by you and your staff. Attachment B is a brief summary of information about Phishing in a format that you can use to make copies suitable for posting.

Additionally, we want to make you aware of a Microsoft resource that is available to protect against Phishing scams. To check out the legitimacy of a web site-

  • Replace the current URL in the address bar with the following javascript (exactly as written below).
    javascript:alert("The actual URL is:\t\t" + location.protocol + "//" + location.hostname + "/" + "\nThe address URL is:\t\t" + location.href + "\n" + "\nIf the server names do not match, this may be a spoof.")
  • Depress the <RETURN> or <ENTER> key.
  • Compare the actual URL with the URL in the Address bar.
  • If the URLs do not match, the web site is likely misrepresenting itself. In this case, you may want to close Internet Explorer.

Disclaimer

This announcement may contain information about commercial entities. Inclusion does not constitute an endorsement by the U.S. Department of Education of any products or services offered or expressed.

Contact Information

We appreciate your immediate attention to this very important issue. If you have any questions about this announcement, contact Robert Ingwalson, Federal Student Aid Chief Security Officer. He can be reached by e-mail at Robert.Ingwalson@ed.gov.

Attachments/Enclosures: