Thus far in 2009, K-State has been the target of at least 64 different spear phishing scams that attempt to steal eID passwords, and at least 41 people have replied to the scams with their password. Of those 41 replies, 37 are known to have been used by criminals to log in to K-State’s WebMail system and send spam. That means K-State is averaging about two new scams every three days and one compromised WebMail account every two days. The latest compromised eID resulted in someone logging into K-State’s WebMail from the island nation of Mauritius and sending spam from the K-State e-mail servers. Besides the embarrassment of contributing to the worldwide scourge of spam, this has resulted in K-State getting put on spam blocklists for the likes of Hotmail, MSN, and Comcast.
K-Staters are probably tired of hearing this – IT support staff will never ask for your password in an e-mail. Follow that simple rule, and you will not become a victim of these scams.
The scams are posted to K-State’s IT security threats blog when they are received, so look there to learn the characteristics of these scams. Look for posts with a title of “Spear phishing” followed by a date and the scam’s e-mail subject header. Previous IT Tuesday articles can also help: