Email is a useful tool for communication, but as some members of the campus community recently learned, it carries the risk of phishing scams.

A sophisticated phishing scam compromised the sensitive information of a number of Notre Dame students, faculty and staff March 7, Jason Williams, an information security professional in the Office of Information Technology (OIT), said. The scam was the latest in a series of phishing incidents this year, all of which were distributed via email, he said.

Williams said OIT receives phishing scam emails daily, but most are screened by campus mail servers and never reach their intended targets.

However, a few especially sophisticated phishes get through the filters each year, Williams said.

“Several times a year, more sophisticated phishing emails get past the email server filters and must be blocked manually,” Williams said. 

The March 7 phishing scam eluded detection by appearing to be from the Notre Dame email administrators, Williams said.

“The scammer used stolen Notre Dame credentials to send a mass email, which is why it was delivered to campus and not caught by the mail filters,” he said. 

Williams said an increasing number of students, faculty and staff have been victims of recent phishing scams due to the scams’ sophistication and effectiveness.

“Phishing is a very effective scam,” Williams said. “We’ve seen a rise in the number of incidents because the scam is working. We have seen a significant number of compromised NetIDs in the last twelve months.”

Williams said the fraudulent emails are hard to trace because they are often from public IP addresses or addresses from outside the United States. 

He said the emails also appear to be legitimate since they are usually branded with Notre Dame logos. The emails direct the recipient to a fake website where they are asked to provide a log-in name and password or other personal information, Williams said. 

Williams said there are a few ways to avoid falling victim to phishing scams. 

“The easiest way to avoid getting phished or directed to a malicious page is to not click on links in emails. Even if the email appears to be from a legitimate source, it’s best to open a web browser and type in the URL rather than click on the link,” Williams said. “If you do visit a website, confirm that the URL corresponds to the website that you think you are visiting.”

Emails from legitimate sources within Notre Dame will never ask for sensitive personal information and any email that asks for such information should send up a red flag, Williams said.

“Notre Dame administrators or any other legitimate organization will never ask you for your password or other account information because these organizations already have that information,” Williams said. 

Williams said the best policy to avoid compromising personal information is to use caution online.

“Any time someone asks for your credentials or personal information, it’s a good time to pause and consider if the request is legitimate,” Williams said. “This rule applies not only to your online interactions but to offline interactions, too. Your personal information is a valuable asset. Treat it as such.”