Point Park gone phishing
IT sheds light on university-wide email scam
September 18, 2018
“Look before you click” is the golden rule when it comes to avoiding a phishing email attack from making a computer vulnerable to spammers.
The United States remains a top target for phishing attacks, accounting for 86% worldwide, according to a study by Phishlabs. Just this past summer, the city of Atlanta, Georgia lost over a third of its critical programs in a data breach that began with a phishing scheme.
Point Park University is no exception to that statistic.
Since the start of the semester, students and faculty alike have been tricked by yet another email phishing scam. It is easy to be duped by emails that appear to be from friends or colleagues, information technologies (IT) director Tim Wilson said.
“A phishing email is socially engineered,” Wilson said. “These people that are doing this are trying to find out as much as they can about the people who work in your organization.”
Spammers can infiltrate the firewall system using junk mail with links. Crafting the email to appear as if it’s a trusted source allows them to trick users into clicking on infected links that can embed ransomware into a system and share that same trick with contact lists, according to Wilson.
“It’s a challenge not just for our organization, but for all organizations,” Wilson said. “We have to create a mobile environment for you to move around in.”
Mobile networks are the most challenging to keep secure.
“At the end of the day, you try to strike that happy balance between creating an environment for our students that’s not like a prison,” Wilson said.
Francesca Dabecco, senior journalism major, said she clicked through a phishing email on her phone from a professor at the start of the semester, causing a mass of messages to be sent from her outbox with a similar scheme.
“I clicked on it because I thought I needed to know something for my upcoming classes,” she said. “It took me to a page where I had to re-sign into my email. All of a sudden, my email was sending messages to people I was talking to last semester.”
It’s essential to look at emails with a critical eye, according to Albert Whale, cybersecurity expert and founder of IT Security.
“You’re going to have to really start looking at where these emails are from,” Whale said. “Pay attention to the English style you’re used to seeing. Spammers in other countries aren’t as familiar with the English styles we use.”
Phishing generally falls under two categories, according to David Thaw, a cybersecurity expert at the University of Pittsburgh.
“The first category is when the email actually does come from the other contact,” Thaw said. “The second category appears as a first and last name, but the address is different – like a string of numbers at yahoo.jp – the country domain for Japan.”
If an email looks suspicious, Thaw recommends reaching out to the friend or colleague in a new email, asking if they had been trying to contact them.
“It’s hard to teach people how to avoid this though, because it’s like trying to teach street smarts,” Thaw said. “These really are hard problems that don’t have magical fixes – if they did, they’d already be in use.”
Exercising careful judgement is the best way to stay secure online, according to Wilson.
“If it sounds too good to be true, it’s probably not true,” Wilson said. “If someone is offering you five hundred dollars to click, it’s probably not going to happen. Just be smart.”
Dabecco went straight to IT when her email security was breached.
“Essentially, they changed my password and had me delete all of the emails,” Dabecco said.
Point Park’s IT department is working on implementing technologies to squash these issues before they take hold. Cyber analytics is one program the department is developing.
“We are currently working with a cyber analytic company to have some cyber analytic appliances on our network that are pretty advanced,” Wilson said. “It’s the same one used by the Department of Defense and the Department of Energy to protect the energy grids in this two-factor identification is another method of security IT on campus is looking into. This program uses a username and password along with another form of identification – like a text message code or security question.”
According to Wilson, the IT department is currently testing the two factor identification.
Repetitive notice about these issues may prove helpful for students and faculty as well, Dabecco suggests.
“Sending reminder emails may be what it takes,” Dabecco said. “We go through our emails so fast, we can forget. It would be helpful to be reminded, even somewhere else, like on Schoology.”
If more people in society kept cybersecurity on their minds, Wilson said these scams would be less effective overall.
“IT Security is everyone’s business,” Wilson said. “We don’t have a designated security person, I make it part of everyone’s job description. As a community, if we were all a lot smarter about our online presence, we could put a big dent in this thing.”
Tristan A Washington • Sep 18, 2018 at 9:32 pm
Excellent article and it points out some very basics to follow to help reduce the chance of phishing attacks being successful.