Validating PCS/OIT emails
Validating PCS/OIT emails
Physics Computing Services (PCS) and the campus Office of Information Technology (OIT) on occasion need to send email to people to inform them of important matters regarding their computer accounts. The frequency of such is increasing as campus makes changes mandated by state IT security auditors.
Unfortunately, the prevalence of a type of attack called "phishing" --- a method whereby unscrupulous people try to get the recipient to provide sensitive information by posing as an official requester --- leads to confusion. This is particularly problematic because many "phishing" attacks claim there is a problem with your computer account. But because of this, many people have difficulty determining whether a message they receive, especially discussing matters about their account, is a real, official message from either PCS or OIT that they should pay attention to, or something malicious.
We commend people for their due care and suspicions regarding such email. However, to help ensure valid official emails are not ignored or malicious emails opened, we are providing the following guidelines for testing the authenticity of messages. In all official notifications requesting you to take specific actions pertaining to your account, such as password expiration notifications, both the Office of Information Technology and PCS will follow the following criteria:
http:// portion to avoid email clients from rendering
them clickable).
Also, all official notices from PCS will be signed by a named individual member of PCS. PCS notices about password expirations, or requesting action be taken pertaining to your account will in addition follow the above criteria.
If "official-looking" emails are received which do not meet these criteria, regard them as bogus --- discard them. If in doubt, feel free to contact PCS about the message using the physhelp facility. Also, please note that OIT and PCS staff will never request you to provide your personal password; OIT/PCS staff either have sufficient privileges to do what they need to without your password, or will have you log in for them and do necessary operations in your presence. NEVER give out your personal account password, and NEVER, EVER via email.
PGP signatures are a means of digitally signing messages. You can read a PGP signed message without any additional software, it will just have a few extra lines at the top and the bottom of the message. With the appropriate software, however, you can verify that a PGP signed message was actually created by the person the message claims, at least if you know the public key of the person claiming to have written the message, and you can trust the the person's private key was not compromised. More information on dealing with signed emails
PCS and some OIT public keys may be found here
