Two USC students were victims of a fraudulent e-mail sent to students and faculty at USC and Ohio State University through their e-mail accounts Monday afternoon.
The e-mail, which asked them to verify their e-mail account passwords, was sent from a non-USC e-mail addresses to 400 USC students and faculty and presented itself as a university sanctioned message telling students to update their accounts. The e-mail sent to OHS students also pretended to come from the university and had the same message.
"We are currently upgrading our data base [sic] and e-mail account center. We are deleting all unused USC e-mail account [sic] to create more space for new accounts. To prevent your account from closing you will have to update it below so that we will know that it's a present [sic] used account," the message said.
The e-mail then asked students to respond with their e-mail address, password, date of birth and country or territory where they live.
The fraudulent e-mails were sent out between about noon and 3 p.m., but Information Technology Services sent a warning e-mail to students and faculty at 2 p.m. after the fraudulent e-mails were forwarded to ITS. The ITS message warned students that the e-mail was not sent by USC and they should not respond.
"Someone who received the e-mail forwarded it to us, and at that time, we sent out the warning e-mail from ITS to all students, faculty and staff," Director of Communications for ITS Kevin Durkin said.
The message was sent to students from two different non-USC e-mail addresses (uscteam@bellsouth.net and uscteam50@bellsouth.net).
Although ITS knows the e-mail addresses, there is no way for them to find out who sent the message
Two people did respond to the first round of e-mails, but once they received the ITS e-mail telling them about the fraud, they changed their passwords immediately, Durkin said.
If an e-mail password is acquired through spam, the spammer could have complete access to the e-mail account and all the information within the account, including bank statements and other password protected information.
The account could also be used to send out more fraudulent e-mails in the future.
Durkin said students should never provide their personal information through e-mail, especially if the e-mail looks suspicious.
"As soon as I received the e-mail, I dumped it in the trash. I have had identity theft through PayPal, so my experience was the second I saw it asked for a password, I knew it was a hoax. No one asks for passwords through e-mail," said Michael Kae, a junior majoring in business administration.
The spam e-mail contained grammatical mistakes and did appear as an official USC e-mail
Durkin said ITS would never as USC email users for their passwords.
ITS has spam blockers on the e-mail accounts, which should help filter fraudulent e-mails from students' inboxes, but sometimes, spam does slip through, he said.
