Following an influx of phishing messages to student email accounts, Oswego State Campus Technology Services Help Desk sent out an announcement warning students to be weary of giving out their personal information.
The email, sent out on March 25, explained what a phishing email is and instructed students on how to report such emails.
A phishing email is a message that aims to gain personal, identifiable information about the recipient, said Michael Pisa, the associate director for infrastructure and security for Campus Technology Services.
“A phish is something that is trying to get you to go to a site or provide information about yourself,” Pisa said. “Somehow its plan of attack is to try to get information from you, whether that’s a username and password or to take you to another site and get you to put in other personal, identifiable information.”
The phishing emails being sent to Oswego State student accounts is a result of email addresses and other information harvested by attackers through various security breaks, explained James Early, an associate professor of computer science with a background in information security.
“One of the reasons we’re getting so many of these things now is because of the various break-ins that have happened at large retailers like Home Depot and Target and places like that where attackers have been able to go in and harvest large quantities of usernames, email addresses and sometimes credit card numbers,” Early said.
The email addresses are then used to send out the phishing email that will serve to garner further information, such as passwords, other email addresses, bank statements and any other personal, identifiable information.
“The people who are doing these things are generally collecting this private information and putting it up on various Internet sites for sale for other people then to try to utilize,” Pisa said. “Then there are two uses: one is for the spamming and the other is for the phishing.”
While the initial phishing emails being sent to students were easily recognizable, the more recent emails have become a bit craftier and can be easily mistaken as legitimate emails. The hackers are using a variety of different methods to fool the recipients into giving out their personal information.
“One of these phishings scraped the campus logo right off the website, so there were a lot of people who then responded,” Pisa said. “This weekend we had 17 accounts that we suspended because they were sending spam out. So that means those people answered one of those phishes at some point and people got their password.”
Senior graphic design major Adrianna Petrus fell victim to a phishing message that was designed to look like a Google Doc.
“Someone shared with me a Google Doc, but it was not a Google Doc,” Petrus said. “They made me log in to the Google server, but it wasn’t really the Google server. It was a fake.”
Fortunately, Petrus realized the message was a phishing scam and took immediate action to ensure the safety of her account and information.
“I had a mini freak-out, and I just changed my password and stuff,” Petrus said.
There are several defining factors to help identify a phishing email and differentiate it from a legitimate email. Early and Pisa both warn against following links within emails and say the college, banks and other institutions would never ask for personal information via an email.
“Typically you can hover your mouse over a link to see what the actual address is, and if that address doesn’t resemble where the message claims to have come from, it is clearly a phishing attack,” Early said. “If you have a lengthy URL that’s got a lot of special characters in it that you don’t understand that’s typically not a link that would be reported by, let’s say, your bank. If a bank needed you to go to a website, they would say, ‘Go to chase.com’ or something.”
There is no one action that can be taken to stop all phishing emails from being sent out, but there are a couple steps that can be taken in order to help combat the issue.
The first step should be reporting the email to Campus Technology Services by forwarding the message to the CTS Help Desk so the department can keep track of such emails and send out notifications to the campus.
“If you are getting one of these messages, it is very likely that someone else in the college is getting one as well,” Early said. “If Campus Technology Services has some information about it, they can send out notifications to warn people.”
The second way to report a phishing email is right in Laker Apps. Oswego State’s email service is hosted by Google, which has its own system of guarding against phishing attacks.
“If you suspect something is a phishing message, you can flag it as such and that information will go to Google and help inform other people who may be receiving those messages,” Early said. “They will aggregate it with many other such messages to try and find out if there are common patterns in the message that can then help them filter it and get rid of it.”
Even with consistent reporting of such emails, there is no way to completely eliminate phishing emails from being sent out. When all else fails, it is important to apply common sense and use best judgment.
“People just need to make sure they are diligent,” Pisa said. “If you don’t expect it, be weary. If you’re not sure, question it, whether it’s to go to us at the help desk or wherever.”