It Happened to Me-Phishing

I couldn’t WAIT to finally move into my dorm and start my freshman year of college. Growing up, my parents were so strict. Since I would basically have to write a 15-page paper and presentation to go out with friends, I lived my life vicariously through social media. Facebook, Instagram, Twitter, Pinterest, you name it...I lived a completely different life on the internet. Luckily, UMBC is a whopping 6 hours away from my family home, far enough away to where I’m reachable but I will never have to go home. Freedom!!

My first day of classes was interesting, and the two main concepts drilled in each class were “syllabus” and “Blackboard”. I still had no idea what Blackboard was, but I was told I can access it from my UMBC profile. I sat in Starbucks with a new friend from class, and we both helped each other figure out myUMBC, Gmail, and Blackboard. I considered myself to be pretty internet savvy, so figuring out all of these mediums was a piece of cake.

It was the second week of class and I could already tell that checking my UMBC email would be a chore. I had so many emails from RAs, student organizations, classmates, and professors. I would usually skim through most of them, but then I go an email with the subject “Announcement” from “server@umbc.edu” and that seemed important. I read:

“This e-mail is to notify you the students of University of Maryland, Baltimore County that we will be upgrading our server. We need you to send us the following information in order to keep your account active after the upgrade.

(1) Username:

(2) Password:

Please acknowledge this email upon receipt.

Thank you,

Administrators of University of Maryland, Baltimore County”

Well, I definitely didn’t want my account to become inactive, I do literally everything for school on here. I immediately responded to the email with my UMBC username and password and then deleted my reply. I didn’t want anyone accidentally seeing that email somewhere on my computer and then having my information. Glad that’s taken care of.

The next couple of days my account seemed weird. Every time I tried to email someone, the reply-to address would be changed to some random email address I’ve never heard of, and the subject was automatically inserted with the same “Announcement” from the email I had received earlier. I began to think that something was definitely wrong. Then like clockwork, I got an email to my personal gmail account from UMBC’s DoIT. My suspicious assumptions were right, my account was hacked. An employee from DoIT informed me (through my personal email) that an email was sent around campus that looked like it was legitimately from UMBC asking for usernames and passwords. Yes, that seemed right. Turns out my responding to that email gave an unknown hacker my credentials to get into my account. I was so shocked. I thought that I was pretty tech savvy. After all, I spent all of my high school life on the internet. I was told I fell for a phishing attempt. What even is that?

I took to Google to learn everything I could about how I was duped into getting my account hacked. Thanks to trusty Wikipedia, I learned that phishing was the fraudulent practice of sending emails from what seems like trustworthy companies to trick people into revealing sensitive information. *Sigh*, that’s exactly what happened to me. The email I received was from a UMBC email, so I automatically assumed it was safe. I trusted this “fake” email enough to give up my username and password.

My next step was to call this DoIT person, and learn how to spot a phishing message. Now that I have learned that not everything that comes from a UMBC email address is safe, I wanted to be able to use this as a learning experience. The first tip I was given was that if an email contains a warning that an account may be suspended, then it is probably fake. I was informed that, UMBC does not do sweeps for inactive accounts. Also, UMBC will never ask a user to enter a password on anywhere other than on a UMBC login page. Another helpful tip given to me, was that if an email contains a false sense of urgency or a very impersonal tone, then it probably isn’t real. That makes a lot of sense, because unless it was a mass email from professors, most emails I received contained my name in the greeting.

The DoIT staff member scrambled my password and sent me instructions to reset it. At least my account was taken care of. It feels so weird knowing that someone hacked my account. They could have potentially seen all of my personal information on myUMBC. But now I know, and from this experience I’ve made ALL of my social media accounts more secure. I’ve also become way more aware and alert about the emails and posts I’m reading, along with what I choose to respond to.