The first clue that something was wrong at Tidewater Community College in Virginia emerged in March 2016 when at least 15 employees discovered they could not file their tax returns. After the IRS informed the employees that their returns had already been submitted, college officials realized someone had breached the computer system.
The attack began when an employee of the finance department received an email that appeared to come from a supervisor who requested the names, social security numbers, earnings, withholding and deduction information of more than 3,000 current and former college employees.
Since it had been sent on an internal college email, the employee complied.
The scammer must have suspected that this person in the finance division had the W-2 information, says James Toscano, Tidewater’s vice president for institutional advancement.
Like dozens of colleges and universities across the country in recent years, Tidewater had been the target of a phishing attack—an attempt to use email to convince someone to click on a malicious link or reveal a password.
Phishing is just one type of “social engineering”—the criminal act of manipulating people to surrender confidential information. In the past five years, it’s become a constant threat, and many college leaders see it as the No. 1 cybercrime they face.
The exploding number of phishing attempts has forced schools to launch campuswide educational campaigns as they continue to harden their computer networks with firewalls and two-step authentication logins.
“Education is almost always the single biggest defense against hacking and social engineering,” says Jeremy Cucco, chief information officer at the University of Puget Sound in Washington.
“Often the best thing you can do is show people what a current phishing attack looks like and what they can do to make sure their personal information is protected.”
The increasingly sophisticated techniques scammers use to replicate email addresses and university websites has complicated efforts to combat phishing on college campuses.
Telltale signs—such as misspelled words and suspicious email addresses—are no longer part of the scammers’ online footprint.
“You used to be able to tell the difference between what was real and what was counterfeit,” says Jake Holmquist, chief information officer at Manhattan College in New York. “That’s not necessarily the case anymore.
These messages are so carefully fabricated and so carefully focused on the right people that it’s very hard to distinguish between legitimate and fraudulent messaging.’’
Strategies to combat phishing
- Send out simulated phishing emails to monitor who clicks on them, and to educate computer users on what a phishing attack looks like.
- Create an educational presentation during freshman student orientation to teach incoming students about phishing.
- Use playful props or activities to attract the interest of students, such as a fishing contest in a kiddy pool.
- Send an email alert when your campus is hit by a phishing attack and include a description or image of the malicious email.
Stocking fake phish on campus
Colleges and universities now launch simulated attacks against subsets of people across campus to teach students, faculty, and staff how to detect an actual phishing email.
North Dakota State University, for example, sends out its own phishing messages with embedded links. Recipients who click land on a page full of information about spotting fraudulent emails, says Marc Wallman, vice president for information technology.
Other institutions have hired private companies to send simulated phishing messages. The State University of New York at Geneseo works with KnowBe4, which offers customized phishing security tests to help employees recognize and resist clicking on dangerous links.
“It’s a just-in-time teachable moment when someone falls for it, and then you can immediately teach someone what they should be looking for and why it was a phishing attempt,” says Susan Chichester, chief information officer and director of computer information technology at SUNY Geneseo.
Institutions also use false phishing to determine which computer users are vulnerable to malicious emails, and then shape preventive programs. That was the intent in spring 2017 when Mount Holyoke College in Massachusetts began sending out “self-phishing” attacks to a random sample of faculty and staff to monitor their reaction to emails.
“We learned a lot about our technology configuration and about the responses of those who got through by clicking on something in the email,” says Alex Wirth-Cauchon, chief information officer and executive director of library, information and technology services.
Wirth-Cauchon will use the results of the test to shape educational campaigns planned for later in the semester.
Strategies to combat phishing (cont.)
- Add a two-factor authentication process to your campus email system.
- Offer training to faculty and staff to teach them how to identify phishing emails.
- Monitor incoming email to ensure malicious messages are being diverted to spam folders.
Stoking students’ interest in safety
Many colleges and universities initially focused anti-phishing programs on faculty and staff, because they have access to the financial accounts and academic research targeted by cybercriminals. Now schools are broadening their educational campaigns as scammers increasingly shift their attention to students.
At Stockton University in New Jersey this March, a student fell victim to a phishing attack targeting job-seeking seniors when he responded to an email advertising a position for a virtual assistant.
The scammer sent the student what looked like a legitimate check for $1,900 as a signing bonus and asked the student to wire half of it back, which he did, but then the check bounced.
The Office of Information Technology Services used the case, which police are investigating, to illustrate several key lessons about cybersecurity to its faculty, staff and students: employers should never ask for personal information through email, and anything involving the distribution or transfer of money should raise a red flag, says CIO Robert Heinrich.
Beyond frequent email reminders about phishing, Stockton offers online workshops on cybersecurity for the entire campus community and provides cybersafety tips to incoming students during freshmen orientation.
Educating students about phishing can be a challenge because 25 percent of the undergraduate population turns over every year. To spark interest, SUNY Geneseo played off the word by stocking a kiddie pool with magnetic fish for students to reel in during Cyber Security Awareness Month last October.
Mount Holyoke officials decided to tap into the “maker culture” popular among students by having them create buttons at a cybersecurity table at orientation. “Whether it’s treats or making buttons, it’s just finding a way to open a conversation and engage students,” says Wirth-Cauchon.
Finding technical solutions
Phishing attacks have wreaked havoc across a wide range of industries. One key difference that may make higher ed even more vulnerable than others is this: Not all institutions require two-factor authentication when a user logs on to campus computer systems.
Multifactor authentication—in which a password plus additional verification on another device is needed to log in—would further fortify campus networks against hackers, says Kim Milford, executive director of REN-ISAC, or the Research and Education Networking Information Sharing and Analysis Centers.
The Indiana University-based organization promotes cybersecurity in higher education.
In a 2016 Educause study of 680 higher ed institutions, 52 percent said they required some type of multifactor authentication.
North Dakota State now uses two-factor authentication for employees with access to sensitive information such as payroll forms. The university has been successfully targeted five times in the last four years by scammers who stole money from direct deposit accounts, explains Wallman.
In response, a broader rollout of two-factor authentication is now under consideration.
Institutions also monitor incoming email constantly to ensure malicious messages are being diverted to spam folders. IT departments are also hardening firewalls to prevent such email from filtering into the system.
The most successful approach remains educating computer users about the threat. “For the most part, colleges and universities are doing the most important thing, which is that end-user training and awareness,” says Joanna Grama, director of cybersecurity at Educause.
“They know they have got to educate students, faculty and staff to be aware of phishing. That’s just part of the price of doing business today.”
Sherrie Negrea is an Ithaca, New York-based writer who frequently contributes to UB.