Scam emails breach student accounts
CIS helps prevent and repair student account hacking
February 24, 2021
“Dear Interested Student, I am Annette Bonner…This message was sent to your email because you have an opportunity from the University Office for Students with Disabilities…this employment won’t take much of your time at least two hours daily and three times a week for $450.”
This quote is from just one of several job fraud emails that have been sent to student accounts from fake professors.
This school year, Computer and Information Systems (CIS) has been blocking more than three times the usual amount of spam emails being sent to student accounts.
Assistant Vice President for Information Technology, Micah Schaafsma, said that in 2019, SPU received an average of 200,000 emails per day with 60,000 being blocked by CIS. This year, that amount has grown to 280,000 emails per day with 160,000 being blocked as spam.
“The challenge then is how do you set that threshold without blocking legitimate email? If we turn it on too far if we make it too restrictive, we could accidentally filter out emails between you and classmates, between you and your professors– legitimate stuff,” said Schaafsma.
Schaafsma said the goal of the scam emails is ultimately to get money, whether it’s through direct fraud or by leveraging accounts they get access to.
First-year Jasmine Kim said she nearly fell for a job scam that claimed to pay students $400 a month working remotely.
“Honestly, I thought the school knew about this because these emails were coming through my school email. So I was like, ‘Oh, I guess this is like school approved.’ I thought it was something we could actually look into,” said Kim.
Kim said she figured the remote job opportunity was to help students make money during the COVID-19 pandemic.
First-year Zach Nacke also received scam emails pertaining to COVID-19, one of which got his student account hacked.
“I had gotten an email, and I think it said something about like a new positive test at SPU, and I was like, ‘Oh, sweet, they’re emailing us now when we get positive tests so we stay more informed,’ said Nacke.
He clicked on the link and entered his login information thinking he was just logging into his SPU account, and then 20 minutes later received an email stating his account had been breached.
“For like, the entire day, I wasn’t able to use my SPU account at all,” said Nacke. “I was able to log into Canvas, but I wasn’t able to do anything with Banner or anything like that because I wasn’t able to log in.”
CIS was able able to remove the hacker from Nacke’s account through careful identity verification and then they instructed him to change his password to prevent the same scammer from accessing his information again.
To help protect students from these sorts of threats and inform them about cybersecurity, CIS publishes awareness articles on a yearly basis.
“October is National Cybersecurity Awareness Month, and we’ll publish sort of an update on all the things that we see going on, and then periodically update that throughout the year,” said Schaafsma.
One concern CIS has, in particular, is the outreach of their user-education. Out of approximately 3500 students and 800 faculty members, analytics showed that only about 140 people read the 2020 cybersecurity awareness article.
“All of those people are the weakest link… If you can get people to understand what the core issues are and the threats and what’s really going on, then you’ll have fewer people taking the bait,” said Schaafsma.
He said that Microsoft has seen a 250% increase of fraud attacks since COVID-19 started. The relevance of user education on cybersecurity has increased now as well, so it’s important for students to be able to recognize the signs of fraudulent emails.
Such signs include suspicious links and attachments, fake names of professors that don’t exist, unnecessary urgency, and grammar and spelling errors.
He said that they’ve also recently upgraded to Microsoft 85 licensing which allows significant enhancements to email filtering and cybersecurity protections.
Microsoft annually invests $1 billion into its cybersecurity systems and is able to effectively block scam messages from filtering through users’ accounts without accidentally blocking legitimate emails.
“We’re still in the process of rolling out a lot of the features that we’re now paying for,” said Schaafsma. “So, theoretically, you should see in the next few months, as we start rolling some of these out, that it gets a bit better than it is right now.”
With COVID-19 rendering many without jobs, the most common form of fraud in this influx has been cash-grabbing. The scam emails coming through to SPU students have been from all over the world, with the objective of cash fraud. Once a hacker has gained access to a student’s account, they gain access to any bank records on file.
“Whenever you click a link in the browser or whenever you initiate something on your phone, that’s a connection or a session where it’s like, ‘Hey, I need this data on this website,’ and then it responds and sends it back,” said Schaafsma.
These inbound and outbound connections from fraudulent links are what give hackers access to account information.
To help protect students’ information further, CIS has been debating the idea of using multifactor identification on student accounts. This way, students would have to answer security questions that only they would know the answer to to access their accounts.
Their one concern with this prospect is whether it would be too much of an inconvenience for students when trying to login. Because they cannot ensure that everyone will read the cybersecurity awareness updates, and they cannot ensure user education, this will provide extra precaution.
“How do you put people in a padded room without locking them in the room, if that makes sense,” said Schaafsma. “Like you can run into the walls and not hurt yourself, but you can still get out.”