Messaging Scams
How do I tell if a message is for real?
What should I do if I receive a suspicious message?
NEWS: "Privacy Settings Changed" = PHISHING SCAM!
Stanford was just inundated with a very clever phishing attempt: a fake email claiming to be about Axess privacy settings; the email would even take you to a fake Webauth page, prompting you for your SUID and password. If you accidentally provided your info (or think you did):
- Change your SUID password NOW at accounts.stanford.edu
- File a help ticket with IRT security
- Always doublecheck in the future: a REAL webauth page will only ever start with "https://weblogin.stanford.edu/" and will have a little lock icon before it. If those things aren't true, don't log in! Here are some more hints to tell if an email might be phishing.
It's always a good idea to doublecheck a message from ANY source which asks you for personal information. There was even a new "smishing" (SMS + phishing) scam circulating recently, via text message. People would receive a text claiming to be from something like the "Credit Union Center" or "My Credit Union Alert," saying that a credit or debit card will be cancelled unless the user calls immediately and supplies the card number. Upon calling and entering the card number, the user will then speak to someone who asks for the card's PIN code for "verification." Sounds like a scam? You're right!
When in doubt, don't!
Although a lot of spam emails are obviously fake, sometimes they're just convincing enough to leave you wondering. And now with the increasing prevalence of mobile phones, scammers are branching out into text messages, even voicemail.
Some ways to tell if a message might be a scam:
- It's trying to scare you ("Do this or else a bad thing will happen RIGHT NOW!")
- It's referring to services that are usually well-protected (like email accounts or banking/financial services) or that use financial information (e-commerce sites, etc.)
- The sender asks for the keys to your information: your PIN, your password, etc. (Stanford will NEVER ask for that information, nor will organizations such as your bank)
- The message claims to be from a company you've never heard of, or never done business with
- The email address or website of the sender doesn't match the sender's business name (an email address that ends in "yahoo.com" is not, in all probability, from a real bank)
- The message contains poor grammar, misspellings, and/or awkwardly-phrased sentences
What should I do when I get a scam message?
Step one of getting a message that seems suspicious: Don't do what it's asking you to do! Don't call the number they give, don't click on any links, don't follow their instructions. Instead, you can check the IRT Security blog; we're trying to post all phishing and fraud alerts as they appear, to help you identify them. If you don't see your particular message listed on the blog, you can always send it to IRT Security ( ) for confirmation. You should then delete any such emails from your inbox or phone.
Remember:
- NEVER CLICK ON LINKS in unsolicited messages.
- NEVER DOWNLOAD FILES from suspicious sources.
- NEVER GIVE OUT YOUR PASSWORD OR PIN to anyone.
- When in doubt, DON'T.
Wikis hosted by IRT