4 minutes to read | Last updated April 8, 2020
This guide will help you protect your online identity by teaching you how to recognize and avoid phishing attacks and online scams.
This is an accordion element with a series of buttons that open and close related content panels.
Protect your online identity
Take these steps to greatly reduce your risk of identity theft:
- Use a shredder to dispose of sensitive data (credit card bills, bank statements) and don’t leave these documents where others (roommates, service people) can view them.
- Never click on unsolicited links included in emails, even from what may appear to be trusted sources (e.g., your bank). Often these are email scams or lures to malicious web sites.
- Don’t disclose identity information (SSN, birthdate, address) on the phone, through mail, or on the Internet unless you have initiated the contact and you know the other party involved.
- Limit the amount and type of identity information you post on social networking sites.
- Protect your Social Security Number. Don’t keep it in your wallet or write in on checks. Ask to use another identifier if possible.
- Use strong passwords and multi-factor authentication on sites that offer it.
- Prevent unauthorized use and laptop theft.
Phishing is the use of email and fraudulent web sites to trick people into disclosing personal financial or identity information, such as credit card or Social Security numbers, user names (e.g., NetID), passwords and addresses. Although most “phishes” come as email, phishing scams can also come in the form of text messages and phone calls.
An email message may look harmless. Posing as your credit card company or even the University of Wisconsin, it alerts you to a problem with your account and urges you to respond immediately by clicking a web link and “verifying” or “updating” your account information. The email and the web site may appear official, with all the familiar logos and corporate phrases. But they’re bait, presented to fool you into divulging your personal financial information.
Identity thieves send out billions of phish messages every month, according to media reports. The Anti-Phishing Working Group estimates that 5% of those who receive a phish message actually respond. Financial losses are difficult to measure, largely because victims are unable to attribute unauthorized charges to phish messages.
Spam filters provide some defense against phishers by intercepting their messages, but the target is elusive. The best defense is the individual user. Because things aren’t always what they seem to be, you should be skeptical about emails.
How to recognize scams
Scam tactics are increasingly sophisticated and change rapidly. Even if a request looks genuine, be skeptical and look for these warning flags:
- The message is unsolicited and asks you to update, confirm or reveal personal identity information (e.g., full SSN, account numbers, NetID, passwords, protected health information).
- The message creates a sense of urgency.
- The message has an unusual From address or an unusual Reply-To address instead of a “@wisc.edu” address.
- The (malicious) web site URL doesn’t match the name of the institution that it allegedly represents.
- The initial part of the URL doesn’t have an “s” after “http” indicating it is not a secure site.
- The link in the pop-up doesn’t match the printed text.
- The message is not personalized. Valid messages from banks and other legitimate sources usually refer to you by name.
- There may be grammatical errors.
What is personal identity information?
Any piece of information that can be used to uniquely identify, contact or locate a single person or can be used with other sources to uniquely identify a single individual is considered personal identity information. It includes, but is not limited to, Social Security, driver’s license and financial account numbers. It can also include usernames and passwords, PIN numbers, street and email addresses, telephone numbers or biometric data (e.g., fingerprints, DNA).
Is it okay to give out personal identity information to the University via email?
No. Because it can be very difficult to identify counterfeit emails, it is important to remember that UW–Madison won’t ask you to disclose personal identity information via email. Scammers will sometimes pose as “the University email service” or “the campus tech support service.” Don’t be fooled! If you are asked to disclose your Social Security Number, account information, NetID, password, MFA-Duo credentials or other identity information, don’t do it.
When in doubt, contact your local IT professional or the DoIT Help Desk at 608-264-HELP (4357) to ask for advice, or visit helpdesk.wisc.edu.
What happens if I do respond to a phishing attempt?
IT Security and individual campus departments may monitor network logs to identify incoming emails that are suspicious in nature. As part of their diagnostic tools, they have the ability to determine which IP addresses have responded to a suspected phishing request.
If the University logs any response by you to a known phishing address, you will have your credentials (i.e., NetID and password) disabled and will not be able to access network resources until you have re-established your University identity credentials. This may include reviewing this brochure, watching a short educational video and/or discussing the situation with a campus IT representative.
Is getting access to my NetID and password really that unsafe?
Yes. Someone with your NetID, password or MFA-Duo credentials now has access to your personal information in the My UW portal, including your payroll statements, financial aid records, grades, home address and more. They can steal your identity, change your course schedule, alter your research, and gain access to other applications within your department or even your home computer. Never use your NetID and password on any other site.
Are there any instances in which UW–Madison will ask me for personal identity information by email?
No. Neither IT Security nor the Division of Information Technology (DoIT) will ever ask you to reveal your NetID or password, or other restricted data, through email, phone, text or other means. You may be asked to change or strengthen a password, but you will never be asked to disclose it outright.
IT Security is working with campus groups to discourage them from sending email requests like this, but not all departments may be aware of the implications of doing so. The goal for campus is to eliminate these types of online requests entirely. Departments who do send mass emails are encouraged to follow these guidelines for sending mass emails.
Do's and don'ts
- Do keep your Internet browser and operating system up-to-date with the latest security patches and updates.
- Do be wary of unsolicited messages. Even though you may recognize the name of the sender, scam artists sometimes use these tactics to get personal information from you. Never give out your NetID, password, MFA-Duo credentials, credit card or social security number in response to an unsolicited request.
- Do look for a digital signature/certificate as another level of assurance that senders are who they say they are. Digitally signed messages will have a special image/icon at the subject. You can validate its authenticity using an Outlook desktop client only. The Office 365 web client, Outlook on the Web, does not currently support this feature. Learn how to request a digital signature for yourself or a department.
- Do validate that you are connected to a certified, encrypted web site. If an organization wants to have a secure web site that uses encryption, it needs to obtain a site certificate. Look for a closed padlock in the status bar at the bottom of your browser window and for “https” rather than “http” in the URL.
- Do adjust your spam filters to ward off unwanted spam. Read everything you ever wanted to know about Spam and learn how spam filtering can help reduce the amount of unwanted email in your inbox, as well as help protect you from malicious attacks. Or go to the online help desk and search “spam filter” to learn more.
- Do use common sense. If you have any doubts, don’t respond. Ask your department IT representative, if applicable, or contact the DoIT Help Desk at (608) 264-HELP (4357) to ask for advice.
- Don’t click the link. Instead, phone the company or do an Internet search for the company’s true web address.
- Don’t use forms that are embedded in the body of an email (even if the form appears legitimate). Only provide information over the phone or on a secure website (look for a web address that starts with https, not just http, and for a padlock icon in the corner of the browser window).
- Don’t open email or attachments from unknown sources. Many viruses arrive as executable files that are harmless until you start running them. JPG file attachments have recently become a new format for spreading viruses.
Other phishing resources
Wisconsin Office of Privacy Protection
Learn to protect yourself and where to go if your identity is stolen.
State of Wisconsin Department of Administration, Division of Enterprise Technology
Find scam alerts, identity theft prevention and other cyber security resources.
Federal Trade Commission
Find out how to to deter, detect and defend against identify theft.
How to report phishing or spam
The best way to report spam and phishing attempts is with Outlook’s built-in reporting options. Get detailed instructions on how to submit a message as spam in Office 365.
If these options are unavailable in your email client, send a report to email@example.com.
If you are ever unsure whether an email message is legitimate, DO NOT RESPOND to it! Instead, email the DoIT Help Desk or call 608-264-HELP (4357) and ask for advice.
Report a phishing scam
If you have been the target of a phishing scam we want to know about it. Send us an email and help keep campus secure.