A Student’s Perspective on Phishing Scams in Universities

Phishing is an online scam that targets consumers by sending them an email that appears to be from a well-known source – an Internet service provider, a bank, or a mortgage company, for example. These scams are one of the many ways cybercriminals manage to get users and businesses to share sensitive information that can be monetized unknowingly.

It’s no surprise that schools are a favorite phishing target among cybercriminals. These scams frequently target students who receive hundreds of emails daily and attend a school with thousands of other students under a single domain. Thus, it is increasingly critical that IT specialists and students engage in security best practices and ensure that robust email protection is in place to protect students' information for the duration of their time at school.

I'm Marquisha Mathis, and I am seeking to earn a Master of Arts in Public Media at Fordham University. I recently experienced a phishing scam sent to my Fordham University email. I wanted to share what it was like seeing such a scam for the first time, as my email was almost compromised simply by clicking on an attachment that I thought was for a legitimate source: my school! If you’re like me, you may have found yourself on the same side where you almost had your email taken from you, but luckily, it was saved by your school. Or, you may have had your account compromised because the phishing email you received seemed real and highly important. In addition, I want to discuss other prominent examples of phishing attacks targeting educational institutions and measures that universities and students should take to prevent similar attacks.

Recent Phishing Scam Targets Fordham University Students 

A recent phishing email was sent to Fordham University students that read, “Dear Students, Faculty, and Staff, Fordham! There is a pressing need for Students, Faculty, and Staff assistants at Fordham. This position is available to Students, Faculty, and Staff from any institution department, and consideration will be given on a first-come, first-served basis. Please see attached for an immediate job opportunity." The email included in the subject was “Adm.asst Role $21.65-$24.35/hr to start + benefits.”

A few hours later, Fordham University sent a follow-up email to students warning them of this scam and how to proceed. It contained the following information:

“Please be advised that a number of Fordham community members have received a phishing email with the subject line "Adm.asst Role $21.65-$24.35/hr to start + benefits" purportedly coming from <This email address is being protected from spambots. You need JavaScript enabled to view it.>;.

The email states, "Dear Students, Faculty, and Staff, Fordham! There is a pressing need for Students, Faculty, and Staff assistants at Fordham. This position is available to Students, Faculty, and Staff from any institution department, and consideration will be given on a first-come, first-served basis. Please see attached for an immediate job opportunity." This email is NOT legitimate. The email address <This email address is being protected from spambots. You need JavaScript enabled to view it.>; was compromised; we have since scrambled the account password and closed any active sessions.

If you have received this phishing message, please:

• Do not respond to the message.
• Do not click on any attachments or links.
• Do not call any number listed.
• Do not provide any private information such as username and password.
• Delete the message.

This phishing email was presented to Fordham students as something legitimate and a great opportunity as students in all grade levels, especially those who may be graduating, are looking for full-time jobs. And it almost fooled me! This email made me want to read more as a graduate student seeking full-time work after graduation. I thought, why not? I didn’t think anyone would try to trick me or other students into opening an email that could be the next step in changing the course of their future. I simply believed it was from my school and that they were recruiting soon-to-be graduates to join the team and stay on as a Ram!

Fordham University is an institution with approximately 15,300 students. The institution must be able to protect students at all costs. Luckily, their email response came quickly and warned students of the attack. However, more must be done to protect students and faculty against these stealthy and dangerous scams. Other institutions also have to take better initiatives to ensure that students don’t experience any compromise with their email addresses under their care.

Phishing scams continue to be highly useful for cybercriminals as they look to steal users' information and spread harmful malware. Other universities have been hacked, and many examples reveal that superior phishing protection is required for schools and universities.

More Real-Life Examples of Phishing Scams Targeting Universities 

Australian Catholic University (ACU) 

In 2019, threat actors posed as the university and sent an email containing a link to a fake ACU page. When staff entered their credentials into the malicious page, the cybercriminals could harvest their logins and use them to access sensitive information, including bank accounts. Though only a fraction of staff were affected in the ACU breach, phishing attacks can be sophisticated and highly destructive. 

Chegg 

The attack: In 2018, the online textbook rental service experienced a data breach that affected 40 million customers. Cybercriminals could steal usernames and email addresses, then decrypt and post the logins online. 

Chegg did not alert individual users to the data breach; instead, colleges like Saint Mary’s College in Indiana were alerted by REN-ISAC (Research and Education Networks Information Sharing and Analysis Center) when Saint Mary’s email addresses turned up in the credential dump. When the college alerted students and staff about the breach, their credentials had already been exposed. 

How Can Students and Universities Protect Against Phishing?

Scammers use email or text messages to steal your passwords, account numbers, or Social Security numbers. They could access your email, bank, or other accounts if they get that information. Or they could sell your information to other scammers. Scammers launch thousands of phishing attacks like these daily and are often successful. Here are a few tips to stay ahead of cybercriminals and know when something seems wrong:

• Protect your computer and mobile device by using security software. Set the software to update automatically to deal with any new security threats.
• Students and universities should use a filtering system that recognizes when someone tries to use university credentials outside the university.
• Protect your accounts by using multi-factor authentication (MFA). Some accounts offer extra security by requiring two or more credentials to log in to your account. This is called multi-factor authentication. The extra credentials you need to log in to your account fall into three categories: something you know (like a passcode, a PIN, or the answer to a security question), something you have (like a one-time verification passcode you get by text, email, or from an authenticator app, or a security key), and something you are (like a scan of your fingerprint, your retina, or your face). Multi-factor authentication makes it harder for scammers to log in to your accounts if they get your username and password.
• Protect your data by backing it up. Back up the data on your computer to an external hard drive or in the cloud. Back up the data on your phone, too.
• Educate users on recognizing and avoiding phishing emails with a fully managed security awareness training program.
• Invest in a comprehensive cloud email security solution that detects and blocks all phishing attempts before they reach the inbox.

What Steps Is Fordham University Taking to Protect Students & Staff Against Phishing?

Fordham University will never ask you to provide personal information, such as your Fordham ID number, via email. As a rule, students mustn't send any personal information through email. If they receive such a request via email, they should contact the IT Service Desk. Attackers may compromise legitimate email accounts belonging to people you know or to @fordham.edu addresses by sending phishing emails from these accounts.

Students should be aware of suspicious emails and attacks at all times. According to Fordham, if they are unsure of a link in an email, mouse over--but don't click--on the link. A small pop-up window will appear, showing the URL the link connects to. If the URL doesn't match or is not from a domain or company you are familiar with, then there is a good chance that this is a fraudulent email and the site is not legitimate.

Most URLs for organizations and companies use URLs that begin with https://. The "S" stands for secure; http:// is not a secure connection.  

If the email is from Fordham:

• It will come from a Fordham.edu email account.
• It will not contain a generic greeting, for example, "EDU Webmail Users," or have no greeting. 
• It will not request that you respond to a non-Fordham email address.
• A Fordham employee or department should sign it.

Although Fordham emails are supposed to be official and protect students from cybercriminals, that is only sometimes the case. However, it is very important to follow the steps mentioned above and take additional measures as requested by the university.

Always think twice before providing sensitive information online. If something feels fishy, it's probably a phish. Remember, emails can be compromised from accounts that are the same as yours. But Fordham Gmail is scanned for suspicious content and will continue to provide students with more assistance in dealing with phishing. Fordham gives a step-by-step on what to do on the web.

In the web console, you can:

• View your Quarantine Summary
• Search for an email by Sender (From), Subject, or Age 
• Edit your Safe Senders List and Blocked Senders List 
• Request a new Quarantine Summary be sent to your inbox

Keep Learning About the Need for Superior Phishing Protection for Universities

Phishing attacks against educational institutions are very common, and, unfortunately, they’ve been rising recently. Students' data, including email addresses, phone numbers, credit card information, and so much more, is often compromised in these attacks. Although the financial losses are one significant factor for universities, each institution's reputation is also at stake. However, it is challenging to eliminate attacks as threat actors constantly develop new ways to exploit weak spots. However, implementing the protection measures discussed in this article can enhance your organization’s information security and safeguard the inbox against phishing attacks.

• Learn how modern phishing attacks work and best practices for securing business email against phishing and other threats.
• Leverage defense-in-depth email protection to identify and block threats in real time.
• Get the latest updates on how to stay safe online.