Beware of CFCU, CIT and other phishing scams
By Bill Steele
Almost everyone has received an e-mail message from some bank or credit card company claiming that an account has been frozen or there is a "security problem." When it's not your bank, you recognize it as a phishing (identity theft) scam and delete it.
Recently, however, the Cornell community was bombarded by phishing e-mails claiming to be from the Cornell Fingerlakes Credit Union (CFCU). Unlike many phishing attempts, some of these were well-designed and free of grammatical and spelling errors. If you clicked on the link in one of these messages you would be taken to a fraudulent Web site, dressed up to look like the real thing, that asked you to log in with your username, password, social security number and similar information, which criminals could use for identity theft. A recent variation asks you to call a phone number where an official-sounding person will ask you to "verify your identity" by, in effect, giving your identity away.
Other recent scams represented themselves as coming from CIT or some other campus agency, trying to obtain people's Cornell netIDs and passwords. These could be used to monitor the victim's e-mail to discover credit card numbers and other sensitive information.
Undoubtedly more of these will show up, perhaps claiming to be from local banks or other branches of Cornell administration. The simplest advice is that you should never respond to any such mail, no matter how legitimate it looks. Banks and companies like eBay and PayPal just don't send requests like this, nor does Cornell administration. If you do need to go to a site that requires a login, type in the URL yourself rather than clicking a link.
If you're still curious, notice that these messages are usually sent in HTML format, meaning that what you see on your screen isn't the whole story. A link that looks like http://www.CFCU.com may hide a URL that actually points to a site in Estonia or Outer Mongolia. In Eudora and some other e-mail programs mousing over a link will reveal its real code. There are also ways to see all the underlying code in an entire e-mail: Search your e-mail program's help files or ask tech support to show you how.
Media Contact
Get Cornell news delivered right to your inbox.
Subscribe