Over the last week, Stanford chat lists have been inundated with messages cautioning students about a Bank of America scam that managed to make its way into many students’ email inboxes. But the warning came too late for a few students who had already disclosed private information to spammers.

A number of Stanford students received a message with the Bank of America logo that indicated “irregular card activity” in their accounts. The email asked individuals to verify their private information by clicking on a link — a link that did not lead to the official Bank of America log-in page, which has a secure log-in, but to a phony site created by the spammers.

The Stanford University Department of Public Safety issued a press release Wednesday expressing concern over “a recent rash” of phishing attacks — scams that collect private information from unsuspecting email recipients. The press release noted that six Stanford affiliates have been known victims of identity theft in the past year.

Email rackets are not a new phenomenon at Stanford. Last year a fraudulent eBay message solicited credit card information from students; a Stanford Federal Credit Union scam and the same Bank of America scheme have occurred repeatedly over the last few years.

One junior was duped by the Bank of America scam the summer after his freshman year. After receiving the counterfeit email, he typed his name and password into the link.

“I found out that my Bank of America savings account had been zeroed and the money had been transferred to a PayPal account,” he said. “I was very lucky, however, since PayPal actually gave me back all of the money.”

Some students who were potentially victims of identity theft asked not to be identified in this article due to privacy concerns.

Heather Heistand ‘08 (who is also a Staff Writer at The Daily) said she immediately fell for the scam.

“My purse was stolen two months ago,” she said. “I was completely taken in by the scam because I thought Bank of America was just checking in to be sure everything was in order. In fact, I had explicitly asked them to investigate, so that made the scam even more convincing.”

The current phishing episode also fooled a freshman who has since taken steps to protect her identity by filing a fraud alert with several credit bureaus and canceling her Bank of America account.

“As soon as I submitted the information, I knew something was wrong,” she said in an email to The Daily. “I suddenly remembered that Bank of America, or any other bank, would not ask for such personal and private information over email or phone call, so I called Bank of America immediately and realized the huge mistake I had made in responding.”

She noted that many other people she knew received the duplicitous email.

“This particular email affected many students and staff on campus,” she said. “I personally know five other students and a staff [member] who, like me, responded to the email.”

“Almost all my friends received the email,” she added. “Apparently those who had Gmail accounts were more fortunate in that Gmail automatically labeled the email as spam, making it easier to identify it as fraud. I hope Stanford takes steps into protecting email accounts from receiving spams such as this.”

Suzanne Karpilovsky, a third year graduate student in English who received the same email, said the message initially appeared legitimate.

“I thought it was from Bank of America,” she said. “So, the first thing I did was I went to the real Bank of America Web site, and I checked my account, and there was no change in the account. I went back to the email and clicked the link, and I saw that when they asked for things like your Social Security number, it was a fraud.”

William Ito ‘09, the Resident Computer Consultant (RCC) in Freshman-Sophomore College (FroSoCo), said that such scams are particularly deceptive because they look valid.

“If it feels fishy or you ever have to enter private information, make sure you actually are looking at the Web site you think you are,” he said. “A lot of the phishing attacks trick people into thinking they are on a different legitimate site, such as eBay, or, in this case, Bank of America. They collect personal information, emails, phone numbers and [in the] worst case, credit card information and Social Security numbers.”

Ito said it is difficult for Stanford’s spam filters to catch these well-camouflaged scams.

“The filters are designed to catch the things that are trying to sell you things like Viagra,” he said. “[Phishing attacks] that get sent out go out of their way to look as official as possible. That’s why banks always go out of their way to say we will never ask for your personal information on their Web sites.”

Executive Director of IT Services Bill Clebsch noted that Stanford’s spam filtering is aggressive compared to that of the non-Stanford population, but that it is hard for the University to immediately filter against spam like the Bank of America racket because such messages look reasonable.

“We know that certain providers do nothing but send spam,” he said. “We never even let [these messages] get to the mail system.”

But he conceded that it would be impossible for the University to implement a system that blocks email from all non-trusted senders.

“In corporate America what they basically do is, they say, ‘If you’re not a trusted vendor we don’t allow your e-mails through,’” he said. “We can’t do that. We are the intellectual centers of the world — we’re trying to promote collaboration. So we have to [have] 100 times as many complex rules.”

IT Services Info Systems Project Manager Nancy Ware said that this technology will address virus concerns rather than identity theft issues.

“Say somebody had their laptop swiped and they contracted some kind of virus and they plugged their laptop into the Stanford network,” she said. “The Departmental Firewalls Project can quickly contain the scope of that attack. In a student area, you could contain it to a dorm and protect everybody else.”

She added that the University does subscribe to services that help to identify improperly formatted emails that could be phishing attacks. The Department of Public Safety’s Web site (http://www.stanford.

edu/group/SUDPS/) offers a link with suggestions for identity theft prevention with advice for victims.

In September 2006, the offices of the president and provost funded the Departmental Firewalls Project — an IT Services plan for firewall implementation. Clebsch said that the project will take a year or more to complete.

“It’s a large and significant project to really protect Stanford much,” he said, “much more from viruses, from worms, from email scams, from any kind of attack from the outside and from an attack from an inside protected machine.”