/Phishing Isn’t Fun

Merriam-Webster defines phishing as, “a scam by which an e-mail user is duped into revealing personal or confidential information which the scammer can use illicitly.” While phishing used to be a random annoyance, in recent years, it has grown increasingly more sophisticated and more targeted. One way of targeting a group is to use publicly available information to guess at affiliations. Someone who lives in Easthampton, for instance, might bank at Easthampton Savings Bank and therefore might be more likely to respond to an email that appears to come from that bank. A phisher can easily find the graphics he needs on the web to make a convincing looking email. Human Resources is very careful about what information we give to the vendors who provide our benefits, but it is important to bear in mind that the names of the vendors are not a secret. If a phisher is looking at potential victims who work at colleges and universities, he might pretend to be a health insurance company such as Blue Cross Blue Shield, or a provider of 403(b) retirement annuities such as TIAA-CREF, that does business with those institutions.

So how do you determine whether an email that purports to be from TIAA-CREF is actually from TIAA-CREF? For your own protection, you must assume that all such emails are bogus until you can verify independently that it is a legitimate communication.

Emails from both legitimate sources and from phishers contain links to the sender’s website. In the case of a legitimate email, the link will be to a legitimate site. In the case of a phishing email, the link may look legitimate but it will take you to a phony site, where you’ll be asked to reveal confidential information.

To keep from getting scammed, you should not click on a link in any unsolicited email—especially if afterwards you are asked to enter confidential account information such as your username and password on a site. Instead, you should launch your web browser and navigate independently to the site in question. For example, if you receive an email that says it is from TIAA-CREF, don’t click on any link in the email. Rather, open up your web browser and enter the address of the site—in this case, www.tiaa-cref.org. Instead, you could perform a simple Google search that will quickly bring up the legitimate website of any organization that you do business with.

Remember, if you have doubts about who’s emailing you, you can always contact our vendors by other methods. You’ll find links for our vendors on the Benefits page on the Human Resources website:    https://www.amherst.edu/mm/98700