Despite warnings not to trust emails from Nigerian princes, research firm Duo Security reports that one-third of American employees are falling for phishing scams. But, in their defense, the scams have gotten more sophisticated.
In higher education, institutions from the large and well-known to small colleges with limited IT are at risk for increasingly focused attacks.
“What seems to have changed in the last year or two is that the attacks seem to be more directed,” says Nathan Phillips, CIO at Marylhurst University, in an Inside Higher Ed article. “People are clearly doing research on who they’re targeting.”
Though these attacks are getting more prevalent — Inside Higher Ed reports that Alfred University in New York has seen a “sharp increase in phishing attacks since October” — making sure your staff and students are informed is a big first step.
1. Fraudulent Emails Can Look Official
Typos and obvious misspellings used to be an indicator that an email might be a scam. However, today’s phishing emails may look like the real deal.
At Alfred University, a recent scam featured an email that was supposedly sent from the university’s president asking someone from his executive team to initiate a payment, Inside Higher Ed reports. Other times, the attempts have even used the Alfred color scheme and logo.
“[Hackers] are looking at branding, messaging and how we interact with each other. We’ve never seen scams get that sophisticated before,” says Gary O. Roberts, Alfred’s CIO, in the article.
Inside Higher Ed also reports that hackers have accessed email accounts of people that university employees would regularly work with, such as vendors, and sent links for invoices that would install malware on employees’ computers.
2. Some Attacks Are Tailored for Students
Faculty aren’t the only targets who’ve seen an uptick in personalized phishing emails. Earlier this year, students at Dartmouth College received a fake email asking for login credentials that looked like it was from their president, campus newspaper The Dartmouth reports.
Another attack reported by several news outlets preyed upon students’ desire to find postgraduate work. These emails contained phony job opportunities and then asked for personal information.
At Louisiana State University, students are getting phishing emails supposedly from the people that are supposed to be helping them: the IT help desk. In the emails, students were told they needed to verify their accounts by following a link.
“When we do things that require a link, it’s very specifically an LSU link,” says Sheri Thompson, LSU’s IT services communications and planning officer, in a video on LSU Now. “Be skeptical about any links that you get, any request for information you get.”
3. Tax Time Is High Time for Hackers
In addition to knowing the popular phishing tactics, faculty and students should know the popular times for these attacks to occur. It turns out, that time is right now, leading up to the final IRS tax deadline.
One popular scam is the W-2 scam, which targets payroll and human resources departments — like those in higher education — and asks for W-2s and employee lists, reports CCH Group’s Tax & Accounting Blog.
4. Steps to Follow Once You’ve Received a Weird Email
Within its warning, the University of Michigan offers some tips for staff and students who’ve received a suspicious email or even clicked the link. One approach is to make it difficult for someone to use a stolen password.
“The two-factor [authentication] approach provides an additional layer of security to guard against these types of attacks, even if the attacker gets someone’s UMICH password,” says Sol Bermann, UMich’s interim CISO, in The University Record article.
If an email seems suspicious, Florida State University outlined some tips for identifying a scam. FSU advises students and staff to be wary of emails that:
- Ask for login credentials
- Threaten to suspend an account or service without a response
- Notify you of a virus
- Tell you to click a link to solve any of the above issues
Both universities agree that students and staff should contact IT if they’ve received an email that meets any of these criteria.