Carnegie Mellon University School of Computer Science

Security: Phishing, Hoaxes & Scams

There are several types of unwanted and malicious e-mail that one should be on guard against:

  • Viruses: Perhaps purporting to be from someone you know, these e-mail messages contain some type of executable code.
  • Hoaxes: These can take the form of false virus alerts (such as the "Good Times" hoax), chain letters, or attempts to spread false information about some issue (such as warnings that the Federal Government is about to tax e-mail).
  • Scams: Examples are the Nigerian 419 scam or attempts to have you visit a particular web site to "confirm your account information".

Protecting yourself against internet scams

One common type of scam (often called "phishing scams") involves fake e-mail purporting to be from a bank, PayPal, or some other reputable source that asks you to visit a particular web site (usually via a link that is included in the mail) and enter personal information. The e-mail is really from a scammer, and the web site listed in the mail is run by the scammer for the specific purposes of gathering your information and using it for identity theft and other purposes. In many ways, protecting yourself from such internet scams is no different than protecting yourself from scams that do not involve the internet. For example, if someone called you on the phone, said they were from Citibank, and asked your to "confirm" your credit-card information, you would (hopefully) hang up on them. The basic principle is to never provide sensitive information over the phone unless you have initiated the call yourself. Unsolicited e-mail should be treated the same as such unsolicited phone calls. Keep in mind that:

  • It is easy to forge e-mail such that it appears to be from a company and contains company logos and other "evidence" that it is legitimate (you can usually download such logos from the company's own website).
  • It can be very difficult to tell where a link on a web page actually goes to without very careful inspection. So, you do not know if clicking on such a link will take you to the company's real web site.

If you think that the e-mail may really be from your bank or other institution, call their customer service number (which you have gotten from known legitimate documents) to confirm its authenticity. If the mail purports to be from SCS Computing Facilities, contact the SCS Help Desk at 412-268-4231.

There are many other types of e-mail scams, most of which involve getting "something for nothing". Strangers are as likely to give you large amounts of free money over the internet as they are over the phone or via postal mail. Most such scams at some point lead to you providing money up front or giving bank account or other personal information.

Internet hoaxes

There are numerous chain letters, hoaxes, and other false information floating around the internet. These are not necessarily attempts to swindle you out of money, but they do waste everyone's time. Before passing along some anonymous rumor or dire warning to a mailing list or to your friends, please take steps to confirm its authenticity. Often, simply googling for the subject heading will provide sufficient information. If in doubt, you can contact us to confirm or disconfirm the rumor. Never, ever pass along a chain letter.