Phishing emails target faculty and staff
October 1, 2018
An email addressed from President Timothy Caboni was sent to faculty July 18 with instructional assignments discussing an Amazon business account for WKU. The problem? Caboni never sent the email.
Phishing is a form of hacking through an email scam. Someone can appear to be a trusted source to trick recipients into providing valuable information, commonly email credentials.
“By using the victim’s email account to send subsequent phishing messages, the messages appear more trustworthy and hackers increase their success rate,” Greg Hackbarth, assistant vice president for Information Technology Services, said.
Hackbarth said there have been several phishing messages targeting faculty and staff within the past months.
In these emails, recipients are asked to enter login credentials which Hackbarth said can be used to send additional phishing messages or to hack an account. He said as people enter credentials, the scam becomes more difficult to recognize.
Hackbarth said that after the initial scam, phishing can grow. Hackers start by using their own email, but once they have credentials to another system they can start sending phishing messages to accounts through a trusted email or system.
Ultimately, hackers are seeking financial information. Hackbarth said by posing as a recipient’s family member, friend, employer or business, they can ask for money or reset passwords and information to have money directly sent to them.
Journalism professor Mac McKerral said he got a faculty-all email a few weeks ago from someone who identified as working in Student Services, including a bio at the bottom. It included directions to click on a link in the email, and McKerral said he clicked on it. Immediately, a Firefox blocker popped up and warned him not to go further.
“The people who are sending these things are getting really sophisticated,” McKerral said. “I mean, this looked absolutely legit.”
To counter the rise in phishing emails, Hackbarth said IT uses an email filtering tool from Barracuda which eliminates some outside scams.
“No filter is perfect, but our staff constantly works to tweak our filter’s rules to block or tag messages from untrustworthy senders or with common spam/phish phrases,” Hackbarth said in an email.
Secondly, Hackbarth said IT informs the WKU community of circulating phishing scams through security bulletins, the IT website, training programs for online training resources and new employee orientation and the Phish Bowl, a website which provides examples of recent phishing messages.
Hackbarth said IT is working to strengthen security against phishing through training and awareness. He said further measures like multi-factor authentication for email would have greater consequences and require community discussion.
At WKU, Hackbarth said he considers phishing an issue but acknowledged it’s a problem everywhere. From an organizational perspective, he said phishing on faculty or student accounts not only impacts the individual but could give away access to some WKU system.
“Some of our population at WKU does fall for phishing scams, but it’s a minority of our users,” Hackbarth said. “Unfortunately, it only takes a few victims to create problems.”
Phishing isn’t limited to WKU and other universities. In 2016, the FBI’s Internet Crime Complaint Center received over 300,000 complaints with reported losses exceeding $1.4 billion, according to an annual 2017 Internet Crime Report.
The most common crimes calculated by reports by victims were non-payment and non-delivery, personal data breaches and phishing/vishing/smishing/pharming scams, according to the report.
FBI’s IC3 issued a public service announcement Sept. 18 warning people of email phishing scams specifically targeting employee online payroll. The fields most impacted were education, healthcare and commercial airway transportation, according to the statement.
On the statement, IC3 offers several recommendations to prevent falling for phishing scams, including employers to tell employees to hover their cursor over hyperlinks within an email to view the URL to make sure it is related to or associated with the company it claims to be from.
IC3 encourages victims of phishing and other cyber security to report the case to local FBI field offices and to file a complaint on their website.
Six ways to spot phishing on your WKU account:
-
Be suspicious of email that alerts you to problems with your account, is labeled “Urgent”, or requires “Immediate Action”.
-
Be suspicious of attachments, and only open those that you were expecting.
-
Be suspicious of email from a friend or colleague that looks odd or out of place. If their email account has been compromised by an attacker, it could be used to send phishing email.
-
Examine the email address. Often the “Display Name” will say something that looks familiar, but the underlying email address (with the “@” sign) is obviously foreign or nothing you recognize.
-
Examine the underlying URL on any links. Regardless of how the link is labeled in the email, the underlying link on a Phish email will usually not be a “wku.edu” address.
-
If you click on a link be sure to look at the address bar of your browser. If the domain does not end in wku.edu, you are not on a WKU page.
Information from www.wku.edu/its/security.
News editor Rebekah Alvey can be reached at [email protected] and 270-745-0655.
Reporter Emma Austin contributed reporting.