UC Berkeley News


A poser to ponder: When is a padlock not a padlock?
And other conundrums to contemplate while fending off fraudulent e-mails

| 22 September 2004

Campus e-mail users are advised to be on the lookout for fraudulent e-mails asking them to enter financial data or personal information into a web page, perhaps in connection with a credit-card account. Such e-mails may include official-looking corporate logos, URLs, or other identifiers, and may ask you to “update your account information” or “activate your account.” But be aware that the whole setup could be a “phishing” scam to steal your personal information or deposit malicious code on your computer.

Recent bluCard scams

In one recent incident, users of UC Berkeley’s bluCard (a credit card used by campus departments for low-cost purchases) were sent an e-mail, purportedly from bluCard vendor US Bank, warning users that their “account may have been accessed by an unauthorized third party” and asking them to click a web link to “verify your account information and start using our services.” This e-mail was identified as a scam by US Bank and campus bluCard administrators, with US Bank confirming that they would never send such a request directly to bluCard users. Fraudulent e-mails have also come with other deceptively convincing logos, including those of Wells Fargo Bank and Citizens Bank.

Do not click on such links or respond directly to such requests. Instead, users who receive such e-mails are asked to contact bluCard) or other relevant administrators. The procurement-card program has posted examples of fraudulent e-mails and additional information relating to Blu-related e-mail scams.

Is it legitimate?

It is relatively easy for Internet scammers to forge e-mails and corporate logos. Scammers have also been known to hijack or forge a website, complete with a legitimate-sounding URL.

Still, many of us do receive legitimate (and requested) e-mails from corporations, and use web forms to submit confidential data — such as credit-card numbers to certain large, online bookstores. So how do we guard against scams while continuing to do legitimate business on the Internet?

• Be suspicious of any e-mail that asks you to enter confidential data into a web form or asks you to open an attachment. “From” addresses are easily forged, and corporate graphics easily stolen.
• Clicking on a link or attachment can trigger a worm or virus or, at the very least, leave an information trail. If in doubt, don’t click, reply, or respond in any way. Legitimate business sites that handle confidential transactions must be secure and must have a legitimate certificate recognized by a known certificate authority. Put into common English, you should look for the following signs of adequate security:
• The business site must have an https:// URL, indicating that it uses a secure protocol.
• If your browser gives you a pop-up warning that the site’s certificate is invalid, expired, or does not match the site’s URL, do not trust the site. Legitimate business sites will not have certificate problems.
• Most browsers will display a padlock or similar icon to indicate that they are using a secure connection. You should always be aware whether your browser is using a connection that is secure (padlock) or insecure (no padlock). If a secure connection is called for, the absence of a padlock is a bad sign. However, the presence of a padlock does not mean you are completely safe. It is possible for malware (malicious software) to fake the signs of a secure connection, or to monitor your keystrokes outside the scope of the secure connection.
• Tip: If you get an e-mail that contains a link to a corporate site, you might want to type that corporation’s URL manually into your browser window instead of clicking on the link, which could take you to a fake site.
• If you doubt the legitimacy of an e-mail or a website, don’t respond directly and don’t click on any links. Instead, contact the corporate entity by some independent means such as a phone call or separate e-mail. Or contact some independent authority.

Legitimate online businesses and organizations must be very careful about security and confidentiality, especially given the increasing risk of “phishing” scams. The parties to an online transaction must be mutually authenticated; transactions must take place over a secure medium; the exchange of confidential data must be kept to the minimum necessary to accomplish the transaction. If you are presented with an online transaction that does not appear to follow such safe practices, be very suspicious.

To keep abreast of campus technical news, subscribe to iNews, the online publication of Information Systems & Technology, from which this article was adapted.