Phishing emails, spoofing and forgery schemes have found a hunting ground for cyber attacks within institutes of higher education just like UMBC. Below are some reasons why universities are appealing targets. If you would like more information please see the original article linked below.
Why Target Universities?
Access to personal data. To a cyber criminal universities are goldmines of information. Universities’ databases contain personal details of thousands of students and staff including names, address, phone numbers, data of birth, social security numbers, driver’s licence numbers, financial information and medical records.
Access to research. Many universities have cutting-edge research and development departments that may even be funded by the US government. This research information may be valuable to foreign nations meaning that many hackers want to get their hands on the research.
Lack of security. Universities allowing students and faculty to bring their own devices onto campus makes it much more difficult to track down and contain any malicious softwares that may enter the network.
Budget constraints. Universities have a goal of attracting new students and one way this can be done is by controlling tuition cost. Cybersecurity is a lower priority as most potential students are not likely to decide on a university based on the schools security and privacy practices.
Transient nature of universities. Every university has a constant changing population. With each new batch of students or faculty there would be those who are unfamiliar with security policies and procedures.
Examples
One of the phishing schemes involves scammers attempting to gain access to students’ federal student aid (FSA). The attack begins with a phishing email. For example, the message may notify the recipient of a fake university bill that can be paid through the portal.
These attacks will usually threaten late fees to increase the urgency. Once the attacker has access to the student’s portal, they’ll change the student’s direct deposition destination so that the money is sent directly to the attacker.
Another phishing tactic is the fake job offer. Scammers will recruit students for a fake job. Students who respond to the phishing scams are sent a counterfeit check with instructions to deposit it and to send back a portion to the scammer immediately by writing a check on their own funds.
After the money is sent back to the scammer, the bank will notify the student that the original check is a fraud and that the student has lost the money they sent. The is no way to recover these funds.
How to Stay Protected
Using 2 factor authentication to add another layer of security. UMBC offers 2-step authentication through DUO. For more information on DUO please see https://wiki.umbc.edu/display/faq/Two-Factor+Authentication+with+DUO.
Navigating directly to the source rather than clicking a link or opening an attachment within an email or text.
Looking for typos and errors.
Making note if the email is giving a sense of urgency. Any wording that seems intended to frighten or upset the reader is an attempt to encourage action without thought.
What to do if you receive a phishing email?
If you do receive an email that you believe is a scam, please DO NOT respond any further or click on any URLs. If you have provided any banking or financial information, please notify your bank or financial institution immediately. If you have been sent a check, you should not attempt to cash or deposit it. If you have deposited a check already, please contact your bank and tell them that it may be part of a scam.
Whether or not you responded to the scam or not, please forward the message (with the email headers) to security@umbc.edu. We will also keep track of any other information you submit about the scammers, such as their phone numbers. If you were sent a check or other materials, please send pictures of it and the envelope they came in.
How do I forward full email headers?
https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970
To read more articles published by DoIT Security please visit:
https://itsecurity.umbc.edu/critical/?tag=notice.
https://itsecurity.umbc.edu/home/covid-19-news/?tag=covid19
For more information please read:
https://www.clearedin.com/blog/phishing-emails-target-universities