In a mass email sent during the first week of classes, PC and networking services manager Jim Hall warned of phishing emails specifically targeted at students and faculty.
“The semester startup phishing emails have begun so I am sending this gentle reminder that you should never follow a link sent to you in an email that leads to a site that is not hosted by MSU and submit your login information,” Hall said in the email sent Aug. 27. “MSU IT will never suspend an account and then ask you to enter your credentials on a publicly hosted site to regain access to the account.”
Urging users to click a link to a publicly hosted website should be a huge red flag, said Terry Griffin, assistant professor of computer science.
Because these emails attempt to trick students into thinking it was sent from a legitimate source, in this case the university, Griffin said users can protect themselves by verifying that the source of the email matches the destination of any links.
“If the source and the destination don’t match, delete that email,” Griffin said, using Hall’s email warning as an example. “This one says ‘@virginia.edu,’ so you know it’s not from MSU.”
Spammers and phishers should not have access to the university’s domain, so they resort to hosting their sites elsewhere.
“Phishers typically send a relatively innocuous email that doesn’t trigger spam filters and has a link to a site hosted on a free web host such as Jigsy or Google Sites,” Hall said.
Hall said these emails commonly claim something has caused the recipient’s account to be de-activated or their email account is over quota.
“The emails most often try to get a target (the recipient of the email) to click the link and fill out a form that asks for the username and password to their email account with the promise that doing so will reactivate the account or give them more storage,” Hall said. “Phishers get people to respond with the requested information by using a technique we refer to as spear-phishing which specifically focuses on groups by using graphics and verbiage taken directly from the legitimate web presence of the target and presenting them on the phishing pages to try and add an heir of legitimacy.”
Griffin said there are many ways users can protect themselves, such as enabling more security features in a web browser, but he said there’s a tradeoff.
“You have to sacrifice usability for security, and I’m a big usability guy,” Griffin said.
But Griffin said becoming familiar with scam attempts will help users protect themselves without sacrificing too much usability.
Knowledge is power
Griffin said most students these days are savvy enough with computers that they can avoid most scam attempts, but for those unfamiliar with the web and its many dangers, browsing an email account’s spam folder can help users understand what a phishing attempt typically looks like.
“So you can open spam emails to familiarize yourself with them as long as you don’t click anything within the email,” Griffin said. “In that context, yes, you can become more aware when you’re browsing. Don’t be gullible.”
Hall suggests using other tools for users to arm themselves with knowledge of the scams.
“There is a group called the Anti Phishing Working Group that provides very detailed and thorough guidance with regard to phishing and mitigation of risk,” Hall said.
If a student or faculty determines that they have fallen prey to a phishing scam, Hall said they should act immediately.
“The first course of action is to change the password of the account given to the phisher,” Hall said. “A new strong password should be given to the account and it should bear no similarity to the previous password.”
