Everyone who’s been online in the past couple days knows the net has basically been on fire. News about the Heartbleed Open SSL exploit is all over the place, and people are scrambling to change their passwords. But maybe we shouldn’t be so hasty – not everything has been compromised, and not every email is legit.
For example, we had lots of people calling in about the email sent out on the 9th instructing UD members to change their passwords. Many of you astutely noticed that the provided link was wrong, and we’re glad to see the UD community is alert for the signs of phishing scams. This brings up two important points.
First, be wary of emails containing links. Although it sometimes happens, legitimate organizations generally shouldn’t put links in their security emails. Instead, they should instruct you to visit their websites and take actions there. If you get an email containing a link, verify the actual link destination by hovering your mouse cursor over the link and reading the destination in the bottom left of your screen. Don’t assume that the link text points to a legitimate site.
Second, make sure you can verify the information in the email. While UD’s own email did contain a misspelled link, the information it provided could be verified by a UDaily article and by the UD IT Heartbleed info page. The CAS page (through which you sign in to UDSIS) also displays a reminder about password changes. If an email instructs you to change your password or take an action related to your account, make sure you check that the information is correct and legitimate.
Some people have even been getting emails about sites with which they don’t even have accounts. This post on SANS’s forums is a perfect example.
So remember to be careful when changing your passwords this week. It’s always better to go directly to the affected website than to click a link in an email. Otherwise, you could be giving scammers your new login info and getting some malware in return.