• IT SECURITY HOME
• SECURITY AWARENESS
• Email Security
• Policies and Forms
• Security incident reporting
• Data disposal
• Server and Data Classification
• IT Purchase and License requests
• REMOVE SSN'S WITH SPIDER
• SPIDER PC INSTRUCTIONS AND DOWNLOAD
• SENF MAC INSTRUCTIONS AND DOWNLOAD
• DIGITAL MILLENNIUM COPYRIGHT ACT
• PEER-TO-PEER SOFTWARE INFORMATION
• Wireless Security
• TOP 10 SECURITY ISSUES
• GUEST NETWORK ACCESS
• Register Your Computer on NAC
• NETWORK ACCESS CONTROL (NAC)
• SECURING YOUR PORTABLE DEVICES
• PASSWORD EXAMPLES
• Basic computer security
• Firewall policy
• CONTACT IT SECURITY

IT Security at UM-St. Louis

Email Security

Going Phishing at UMSL

No not in the pond by the MSC. UMSL is constantly getting Phished with email. Most faculty, staff and students at UMSL have been Phished. You get Phished when you receive an email that pretends to be real but isn't.

These emails arrive letting you know that your bank account is locked or your credit card is overdrawn or you have money waiting at the IRS. Or my new personal favorite at UMSL.....

Your UMSL webmail service is changing or your UMSL account is locked. Please send us your email address and password so that we can reset it.

First of all, UMSL ITS (and hopefully every other UMSL department) will NEVER ask you to email your password to us. In fact, it is actually against the campus acceptable use policy for us to ask for and use your password.

Second, all emails from UMSL ITS will be from an actual person and not a generic thing like the the UMSL Help Desk or accounts@umsl.edu. It will be from a person that you can verify in the directory and call if you have questions.

Now, the other ones from banks and credit cards. I truly doubt that a bank or credit card company will email you to tell you that there is a problem with your account. I would not do business with them and you shouldn't either. Email is not secure. Tons of people could possibly read it and I do not want them knowing about my banking.

The criminals want you to go to their web sites (that look like the bank site) and give them your bank numbers, or social security numbers, or usernames and passwords. They want your information to sell and they are very rich from doing this.

So, when you get Phished, forward it on to abuse@umsl.edu and then throw it back!

Using "Reply To" with Email

Phishing emails look like real emails, but they are not. They pretend to be from your bank, credit card company, PayPal or even UMSL. How can we protect ourselves and others from these scams?

One thing that you can do is not add to the confusion. Phishers use common “generic” mailboxes to try and trick people. They make their emails appear to come from admin@umsl.edu or webmail@umsl.edu or accounting@umsl.edu . They just guess at what might be there and “spoof” the address. Phishers can put whatever they want in the “From” line of the email, you have probably even received these emails from your own address. What we recommend is that you never send University emails out from a “generic” account or mailbox. Always send the emails out from a real persons’ official UMSL email address. This allows the user to contact the person to verify the email and it adds a more personal contact. ITS sends out automated password reset emails, but they actually come from a real person’s mailbox that can be verified and contacted.

Some groups do not like to do this because they do not want the replies to go to a specific person. This is easily solved. When an email is created there is an option to specify a “Reply to” address. You could put your group or departmental email address in this “Reply to” field and all replies will then be sent there. In doing this, we get the verification and personalization of a real user with the convenience of the emails coming back to a shared mailbox.

To use "Reply To" in Outlook

When creating or editing an email go to the "options" bar. In Outlook 2007 this is a Tab across the top of the email. In Outlook 2003 this is a button across the top.

Once you are in Options chose the option for "Reply To" or "Direct Replies To".

There will be a blank with a check box for "Have Replies sent to".

Put the address there.

To use "Reply To" in Entourage

This is more account based in Entourage. Go to Tools -- Accounts

Go to the Mail tab and edit your email account.

Click the Options tab and enter an "Additional Header"

New header: Reply-to

Value: put the group email address here

(This is not a perfect solution for the mac but it will work. The down side would be that you would need to do this then remove it after you send the email)