What to do if you've been 'phished'
Neither Seminary Computing Services nor Earlham Computing Services will ever ask you to send your password via email.If you have sent your password in response to a message claiming to be from us (see some samples), then you should assume that you have been "phished", and you need to begin taking steps to protect not only your email and Moodle accounts, but also your electronic identity.
- Your first step should be to change the password for your seminary account. If you cannot log into your account or change your password, please call the SCS Helpdesk immediately to receive a new password. If your passwords seem to be intact, and you don't see any suspicious messages, take heart; it's less likely that your information has actually been used yet (but follow the rest of these steps just in case!).*
- Once you are able to change the password and log into your account, your next step is to think about what information has been exposed and how it might be used. If a person had access to your email account, they might have been able to gain access to other accounts; many online services will let you find a forgotten password by sending a message to your email address.* If you sent other personal information along with your password birth date, Social Security Number, mailing address, etc.), the scammer might be able to use that data to verify themselves as you with various institutions (banks, credit card companies, etc.); in other words, to steal your identity. If there are institutions with your work address or email tied to your account, you should consider letting them know that your information might have been compromised, so that they can be on the alert for any suspicious activity.
- Finally, you'll want to watch for any suspicious activity on any potentially compromised accounts (notices of password changes that you didn't initiate, etc.). The FTC has some decent information about identity theft here.
Even if you did send your password to a nefarious party, it's certainly not a foregone conclusion that your identify has been stolen; if you take these precautionary steps quickly, the scammers might just skip you and move on to easier prey.
*. If you used the 'compromised' password for any other accounts (email, e-commerce, etc), you should change those passwords as well. If you find that the password on any of these accounts has been changed without your knowledge, it's likely that account has been compromised, and you'll need to take action depending on the type of account; you can generally follow the steps above, or contact the support group for the organization in question.