University News

Students fall victim to phishing despite University assistance

Hackers use compromised University accounts to request users’ information through emails

By
Senior Staff Writer
Wednesday, January 27, 2016

As the spring semester kicks off and students return to checking their University email accounts every day, some will encounter phishing emails — messages from hackers meant to steal private information, such as usernames and passwords.

Despite defensive tools provided by Google and the University, 141 University community members saw their accounts compromised to hackers in September, said Ravi Pendse, vice president for computing and information services and chief information officer.

Though phishing emails arrive in the mailboxes of students, faculty members and staff all year, many are neutralized by University security tools and Google’s spam filter.

CIS’s Phish Bowl, an online archive of phishing emails sent to students, can help students questioning the validity of emails to identify phishing attempts.

Through CIS, the University also offers students opportunities to boost their knowledge about phishing scams. Last semester, CIS ran the BEar AWARE challenge, a series of quizzes intended to bolster awareness about phishing throughout National Cyber Security Awareness Month, Pendse said. Students submitted nearly 700 quizzes during the challenge, he added.

Before even landing in community members’ mailboxes, most conventional phishing emails are blocked by Google’s spam filter, which catches an average of 785 million spam and phishing emails every day, Pendse said. Google also prevents phishing through its two-step verification process: When someone logs into an account from an unknown computer, the two-step verification asks for more information that can be obtained through a text message or phone call to the user’s phone number, making it harder for phishers to successfully gain access to an account.

Still, successful hackers have bypassed these defense systems by using compromised University accounts, Pendse added.

Pendse said participation in an “open culture” typical of university communities makes students and faculty members easy targets for phishing. “We openly communicate with people and openly share information,” he added. “We often times will get emails from people we do not know.”

Phishing emails come disguised as requests for information. A common example requires the user to provide information to prevent her account from being deleted. One email told faculty and staff members they could only get a pay raise if they entered their username and password, Pendse said.

According to the University’s IT Knowledge base, phishing emails often include features that make them seem official, like the University’s seal. But clues such as misspelled words and attachments can identify them as phishing attempts.

For first-year students new to the University, these emails have become easier to spot with one semester of age and experience under their belts.

“As you get older, you simply learn about phishing (and) scam emails and what they are. It becomes easier to distinguish between legitimate messages and ones that are just spam,” said Tomi Onabanjo ’19.

Jewel Brown ’19 said she simply uses her intuition to determine whether an email is legitimate. If it does not look right, she does not respond.

Pendse said he hopes everyone will adopt two-step verification to maintain their account integrity, adding that it is important for everyone to know that “CIS will never ask for your username and password.”