The most common type of IT attack we see at the University is the phishing scam.  Phishing is an attempt to acquire sensitive information by masquerading as a trustworthy entity in an electronic communication. In the U of M environment, this usually takes the form of an email purporting to be from a network administrator or University IT department. It usually warns you that your email account is going to be deleted or discontinued unless you respond to the email with your username and password.  Sometimes the email directs you to click a link to a website, and the website asks you to enter your credentials.  The real purpose of the email is to steal your username and password, allowing the scammer to use your account.  

Below are some examples of phishing scam emails.  We've added some notes to help you identify these kinds of emails in the future.  The most important thing to remember is that no legitimate University of Michigan department will ever ask you to give them your username and password over email.  If you receive an email instructing you to do so, do not respond, and report it to SNRE IT staff.  We may ask you to send us a copy of the email and delete the original.

Example #1

This first email has many of the common characteristics of the typical phishing scam:

From: I.T. service Desk¹
Sent: Wednesday, November 24, 2010 8:27 AM
Subject: Re: Final Notification.

This message is sent automatically by the computer.² If you receive this message it means that your email address has been queued for deactivation; this was as a result of a continuous error script (code: 505) received from this email address. To resolve this problem you must reset your email address. In order to reset this email address, you must reply to this e-mail by providing us the following Information for confirmation.³

Current Email Address: { } ⁴
Current Email Password: { }
Re-confirm Password: { }

Note: Providing wrong information or ignoring this message will resolve to the deactivation of this Email Address from our database, we apologize for any inconvenience.⁵

For urgent assistance you are to contact customer help desk on.⁶
Email: IT@my.sysadmin.it⁷
Tel: 1 -800 CONTACTS⁸

1. You'll notice that the From: address is very generic (I.T. Service Desk) and doesn't give any indication that it's from the University.  That's the first indication that something is wrong.
2. "This message is sent automatically by the computer."  What computer exactly is that?  Odd phrasing like this is usually an indication that the message has originated from a foreign country and was written by a non-native English speaker.  
3. The grammar in subsequent sentences is also suspect.  Obviously, not every legitimate email from U of M IT staff is going to perfectly written, but most will be clearer, more concise, and better written that this.
4. This request for the email address and password is the biggest red flag here.  Again, no UM Department will ever ask for your passwords or other credentials over email.
5. Again, poor grammar
6. Really poor grammar
7. Notice the non-umich email address (and the .it domain name, indicating the address is registered in Italy).
8. Why would U of M use an 800 number for IT support (especially one that goes to a contact lens ordering system)?

Example #2

The following phishing scam email changes things a little.  Rather than asking you to email your credentials, it asks you to go to a website and enter them, where they will be stolen.

From: "Administrateur systíƒ ¨me" [mailto:admin@webmaster.sk]¹
Sent: Thursday, July 28, 2011 6:38 AM
Subject: You have reached the storage limit on your mailbox.

You have reached the storage limit on your mailbox.

You will not be able to send or receive new mail until you updrade your
email account.

click the below link to fill your emaill upgrade form.²

http://pinteksolutions.com/formgenerator/use/Chilakaform/form1.html³

Technical Support Team⁴
192.168.0.1

1. The French spelling of "system administrator" is a sure indication that this is a scam.
2. Notice the poor spelling and grammar.
3. The bizarre address of the website included in the email is another big clue that something isn't right.
4. The generic "technical support team" and the IP address included for no apparent reason is also strange and should raise suspicion.

Example #3

The final email is the most dangerous and effective.  It came from a very plausible-looking address (which is why I've deleted that portion of the email) which appears to be from UM, but in fact redirected to another address.  As you can see, the email specifically mentions the University of Michigan several times, adding to the realism.

The UNIVERSITY OF MICHIGAN Online Services has    been receiving complaints for    unauthorised use of    the    UNIVERSITY OF MICHIGAN Webmail Account.¹
As a result of this we are making an extra security check on all of our mailbox in order to protect your information from theft and fraud.Do send us your current login credentials to keep your account active.²

Usaname:  ³
Password:

U-M Online Services⁴
2011 Copyrightí‚ © Care Center.⁵

1. You'll notice there are some weird spacing issues in the first sentence of this email.  This is likely due to the fact that it was generated from a template that filled in UNIVERSITY OF MICHIGAN in the appropriate places, indicating the template was not formatted properly.
2. The errors in grammar should raise suspicions.
3. The best indicator that this is a phishing scam is the request for username and password.
4. The U-M Online Services tag is a nice touch, as it's specific enough to trick people.
5. It would be strange for the University to copyright any of its emails, especially those from the IT department.

Hopefully this little demonstration will help you to recognize phishing scam emails in the future.  The most important thing to remember is that nobody at U of M will ever ask you to send your name and password over email.  You should treat any email that does as a scam and delete it.