Phishing for IUP E-mail Accounts

  • Phishing

    "Dear IUP E-mail subscriber..."

    "Confirm your Webmail account..."

    "Your E-mail account upgrade..."


    Various fictitious E-mail messages are being sent to IUP E-mail accounts requesting username and password information.  This is a form of targeted social engineering called spear phishing.  Here is an example of a username/password spear phishing message.

    IUP users should never reply to phishing attempts, including ones asking for a username and password.  In fact, the IT Support Center and other IUP technology support units have been explicitly told to never request a user's password.  It is also important to always look at the "To:" field before sending a reply to any E-mail message.  IUP users should either report username/password phishing attempts to IT Support personnel or delete them.  If an IUP user replies and gives their e-mail username and password to an anonymous phisher, they give the phisher complete control over the IUP e-mail account.  This allows the phisher to send out thousands of spam e-mails to users across the Internet under the IUP user's identity (and because of association, IUP’s identity as well).

    In an effort to protect our user accounts from being compromised, IUP blocks replies to known spear phisher reply-to addresses, and in some extreme cases, IUP blocks the system that sent the message if the same system continues to attack our users.  IUP e-mail users are helping us combat these attacks by reporting new username/password spear phishing messages as they get them, which allows IUP to block the reply-to addresses promptly.

    To report a spear phishing attempt on your IUP e-mail account, please follow these instructions:

    How to Submit a Spear Phishing Message

    More information regarding spear phishing can be found on the Microsoft website.