College Identifies Phishing

By Brooke Schultz
Editor-in-Chief

Two phishing schemes were identified by Office of Information Technology last week that were transmitted through Washington College email addresses.

“The first one we were made aware of on Tuesday afternoon was an email that appeared to have been sent from one of our employee’s email accounts to many other people on campus,” said Chief Information Officer Scott Cowdrey.

The email, which came from a faculty member’s washcoll address, had the subject line, “[Employee Name] has shared a file with you using One Drive,” which made it sound like a legitimate email.

When a user followed the link, they were led to a login page for Office 365.

“It was faked,” Cowdrey said. “The page you landed on looked very real but when you filled in your ID and password for OneDrive, that information would be captured by a third party, the scammer. They would then be able to send other emails from this captured account.”

Cowdrey described the fake login as a “good one” and a “fairly common practice” for phishing schemes.

“[The] outcome of that is pretty dangerous because someone has taken over an email account. This is why we encouraged them to change their password so the scammer would not have access anymore,” he said.

Changing the password is the easiest way to make sure the scammer no longer has access to your account, he said.

Marshall Walton, senior systems engineer and security specialist, said that if that same password is utilized on other accounts, change those too.

“It’s one of the main reasons we—and the industry—force password changes so often to help prevent access if your account info does get out there,” he said. “If you have given out your personal information, keep an eye out for identity theft; if you have given out bank account information, contact your bank immediately.  This isn’t unique to this incident, this is important any time these sorts of things happen.”

The second phishing scheme was slightly different, and Cowdrey said there is no reason for them to believe the two are connected.

This scheme involved a part-time job opportunity, which came from a student’s washcoll email address. The email was an ad for an easy job that paid well. It provided a person’s contact email and phone number.

Cowdrey personally received this email, along with other colleagues, which tipped them off that it may be something suspicious, he said.

“A few people responded to that very quickly by email. While this wasn’t an online form collecting data, just sending an email with your name was the first step in the scammers collecting your personal information online,” he said.

Walton said that this particular case was “social engineering.”

“It is much trickier, from a technological standpoint, because there is often little to nothing technology wise you can do to stop them,” he said. “Technology is just the delivery mechanism, but the scam can take place via mail, or phone, or even in person; it’s a means to gather information, normally for malicious intent like identity theft, or even trying to get banking information, or just asking for login information.”

Walton said that IT took steps to block WC accounts from communicating with the scammer, but, he said, that doesn’t stop people from emailing the scammer through their own personal accounts.

Of the two incidents, Cowdrey said that the first was a more “immediate situation.”

“If you mistakenly get caught in that phishing scheme, the scammer can take that and log right into your account,” he said. “The second took longer to enact, but ultimately could have been more dangerous.”

The best way to prevent being deceived by a phishing scheme is educating yourself, said Walton.

“Be leery,” Cowdrey said. “Make sure it actually came from a person at washcoll.edu. It’s easy to spoof a ‘from address.’ Make sure it’s the correct email address.”

He said that when you have “live hot links” in the body of a message, hovering the mouse over shows the actual web address.

“Is it going to a legitimate site? Or does it have a long string of numbers that may mean the link is bogus?” he said. “That’s what I do. I try to look at the ‘from’ part of the email, and make sure any hot links appear to be going where they say they’re going to. On the page the link may say some site name and if you hover over it, could have a whole other string of information there.”

“As an example, most attackers will use someone else’s site to host their information-gathering phishing page, so the address you go to is something crazy,” Walton said. “Make sure you always only enter your credentials in a site you know, check and double check; never just click a link and enter your password, even if someone you know sends you the link.”

Cowdrey said that most phishing schemes are very poorly done, and it’s easy to identify if it looks wrong.

OIT does have ambitions of rolling out a cyber security training program for faculty, staff, and students to better educate them on online safety, and these suggestions are something that would be included in that program, Cowdrey said.

“Those [tips] will help you to avoid the more obvious problems,” he said. “This email last week was very clever; some are clever enough to work around those and that makes it hard to identify.”

Globally, Walton said that phishing schemes occur “every second of every day.” At WC, they happen daily, but most are blocked by spam filters, antivirus, and by Microsoft itself.

“About every other week one will slip by but are normally very limited in scope only going to a few people. A couple a year will have a bigger scope like the one last week,” he said.

“It’s important to remember everybody falls for these things; it happens to even the most trained people, it is just important to be able to protect yourself and limit your risks,” he said. “This isn’t unique to WC, this is going to happen in your personal email, a call from your cell phone, or even eventually in your career.  Sometimes it is as simple as someone calling you, claiming to be tech support and simply asking for your username and password or bank account info.  The best advice is to never give out or type in your password or personal information unless you are 100 percent positive you know where that information is going.”

Leave a Reply

Your email address will not be published. Required fields are marked *