After business hours last Thursday night, an e-mail message popped into the in boxes of 800 people at North Carolina State University with the subject line “Mandatory Security Update: July 2009.” The e-mail message, which claimed to be from the IT Help Desk, said that in an effort to block spam, all e-mail users had to click a link to the university’s e-mail sign-in page and enter their user name and password.

It seemed perfectly normal — the image icons were the same, and links to the home page and directory all looked fine.

But it was all a hoax.

Tim Gurganus, IT security officer for the university, said that “phishers,” or people who send messages to trick people into giving out passwords or other personal information, were to blame. In the past, he said, he had seen phishers trying to get victims to respond via e-mail with their personal information, but he had not come across this method, with a fake sign-in page.

“It was a good copy — no grammatical mistakes, there was the correct university address,” Mr. Gurganus said. “It was a well-executed attack.”

He was able to find out that only one person so far had entered a password, and he sprung into action. For anyone on the campus, the link automatically redirected them to a Web site that told them the page was a fake. Then he reported the site to Firefox and Internet Explorer, so that anyone using antiphishing features would be protected. Firefox blocked it within a few minutes.

He realized that instead of copying the images for their fake site, the phishers had just linked to images on the university’s real site. Mr. Gurganus changed those images so that if someone had still gotten to the fake page, the top banner would read: “THIS IS A PHISHING SITE! Do not enter your password on any site other than webmail.ncsu.edu.”

By 10 p.m., he had done everything he could to prevent anyone else from being fooled, and he was able to track down the five people that had entered their information and had their passwords changed. The phishers didn’t check back until 9 a.m. the next morning, and they didn’t get any information.

“It will probably happen again,” he said. “It’s easy enough for the phishers to commandeer a Web page or two.”

“This came out well for us, but I still think it was a significant, legitimate threat,” he added.

Doug Pearson, technical director of the Research and Education Networking Information Sharing and Analysis Center, said he had heard of a handful of similar attacks.

Mr. Pearson recommended sharing information about attacks with others, using spam filtering, blocking IP addresses used by phishers, and monitoring for high volumes of mail sent from one person, which the university had done. The only other suggestion he had was for user education. “Users need to recognize the tricks of the trade,” he said. —Marc Beja