An email designed to look like it was sent from UA President Ann Weaver Hart was identified as a threat on Jan. 12. At the beginning of the fall 2016 semester, an email sent to some university employees appearing to be from the UA president turned out to be a phisher in Belgium.
The UA’s Office of Information Security receives hundreds of reports of potentially dangerous emails on campus every year. So far, there have been over 30 posted alerts of suspicious emails found in student and faculty inboxes this semester alone.
Phishing is a social engineering technique to acquire login information and personal and banking details under the guise of legitimacy. The sender of a phishing email attempts to lure a user into giving up key facts of their digital identity.
Information Security Manager Teresa Banks is in charge of online awareness and training at the UA. She said that students are viable targets for hackers.
“Now that campus is more active, students are looking at their email,” she said. “This generation isn’t always keyed in to their email. When it looks like something that could be coming from the university, you’re clicking on it, you’re making sure you know what’s going on and it’s easy to use a few buzz words and trick you.”
There are a few different ways a phish attack can snare a victim. Opening the initial email can infect someone’s computer with viruses or ransomware, which blocks a user from their own data until they pay money to get back in. Opening a link can direct a user to a fake website with malware. Finally, when a person actually submits their information, the logins for their accounts are saved and can be used to phish.
Computer Sciences student Andrew Boring said he always feels comfortable opening emails that look like they’re from the university.
RELATED: University adds optional security increase to online accounts
“I’ve never had problems from my UA email address,” he said. “I know that no security is fool-proof, but I also figure that we’re far enough into the digital age that most institutions have some idea of what they’re up against.”
Email scams have evolved and continue to become more sophisticated.
Interim Director of IS Gil Salazar has an extensive background in IT security and has been with the university over 30 years. He said bad spelling or other errors used to be the calling card of a phish.
“Now they look legitimate, the grammar has gotten better,” he said. “We tend to air on the side of being cautious, and we tell people not to click on links at all. Links are a sure sign of one of the phishing symptoms.”
Links inside a phishing email tend to lead to a fake site. Hovering over the URL will reveal the site’s true identity. Attachments are also a sign of phishing, and emails from the university will never ask for login details.
Charlie Touseull has worked at the UA for nine years and is currently a library information associate. He has seen phishing attempts go up at the college.
“Because of repeated warnings, I have personally never fallen for such an attack,” he said. “However, gauging from the amount of emails that are sent to me by various members of the IT department, many of my colleagues across campus are not seriously heading those calls.”
Though Touseull has confidence in the library’s security systems, he said he believes all users must be active in their own digital protection.
“Security protocols and firewalls are only effective if all players adhere to a similar level of action and vigilance when it comes to safeguarding data and information,” he said. “This is what hackers do, they seek out the weakest links and attempt at finding ways to exploit weaknesses within a system.”
Information Security posts daily alerts of emails found on campus that might contain cyber threats.
RELATED: Student teams show off tech skills, ideas at Hack Arizona
Though Salazar has not received a phishing report from a student, it can and does happen.
“At the university, phishers are most interested in getting into our UAccess faculty and student systems,” he said. Once they’ve gotten the information, they have access to student grades or financial records. They have the keys to your digital kingdom.”
Some of the student scams found by security were fake job offers, illegitimate security and financial alerts and Microsoft support and tax return scams.
Finding patterns helps to identify phishing sooner, and Banks has spotted a trend for freshmen.
“Somehow during orientation some bad guys get a hold of some email addresses for the incoming freshmen,” she said. “Then, they get these emails saying, ‘I need a personal assistant’ or ‘I need a courier,’ something like that, and their goal is to get access to your bank account, and it has happened.”
Salazar said one student in the past spent about $3,500 as a result of supplying personal information for a fake job.
While students are at risk of email scams, it is the college faculty and staff most in danger of phishing attacks.
“We’ve had instances where they change payroll deposits,” Salazar said. “Money goes somewhere else, they do that. We had a couple last summer that hit hard for faculty and staff.”
Any department at the university is susceptible, from Information Security itself up to the president.
When an email appears to be from someone or a business that a person knows, such as in the case of the email supposedly from Hart, it is called spear phishing.
“You have emails that sound like they’re coming from the university,” Banks said. “Now they have your address, they continue to phish with your address and they’re going for the whale. They’re going for the big money.”
Boring was surprised that phishers are able to mimic the UA.
“I probably shouldn’t be because I’m currently in a computer security class, but we also haven’t really covered this stuff yet,” he said. “They probably target students because college is confusing, and uninformed students are easy to confuse or trick, and therefore easy to con.”
When Information Security finds a phish, they block the IP address and fake sites from the campus. A student using UA Wi-Fi will receive a message blocking them from any flagged websites.
Most often, phishers work from other countries and a lot of login attempts with fake credentials at the UA come from China, Russia and Iran, Banks said.
“They can hide and they may not be in this country,” Banks said. “If I can jump from a campus to a campus you can’t tell I’m coming from Nigeria.”
Even if someone is blocked for phishing, Salazar said recourse only comes if the phisher is caught using the information they have stolen. They can’t prosecute someone for trying to steal the information.
Touseull said that hacking is a profitable business.
“Personal information is worth a lot of money on the dark web, and criminals will pay top dollar for that information,” he said.
Information Security encourages the UA community to watch for alerts on their website and social media. If someone finds a suspicious email, they should first check to see if it’s been reported, and do so if it hasn’t.
Students can sign up for a free double authentication process called Global NetID plus to ensure that if their password is stolen, someone cannot get into their accounts.
Phishing will continue to evolve.
“This is not a problem that’s going to go away,” Salazar said. “We can block the whole campus from the world, but people internally are poking holes through that. People still respond enough that it’s lucrative.”
Follow Jamie Verwys on Twitter.