Phishing Attacks? In MY Campus Email?

Ok, if you’re like most of us, you don’t lose sleep over the thought of your myUMBC account getting hacked. Fair enough. With midterms, parental expectations, post-graduation job prospects, and the state of the world, we all have plenty to think about. Maybe you use your college email account daily to communicate with professors and other students, or maybe you log in twice per year in order to register for classes. No matter how invaluable this email might be to your academic life, it is probably hard to imagine cyber criminals lurking in dimly lit basements around the world, dreaming of gaining access to your grades on Blackboard. Surely, there must be someone out there who would make a more promising victim than me, right?

You might be surprised. Over the past decade, well over 600 universities reported a data breach. Some of these attacks have proved to be very successful. Many of these attacks were targeted at students, and many consisted of phishing.

In truth, college campuses are target-rich environments for opportunistic scam artists. Universities have networks and machines that contain very sensitive information, with large numbers of users and personal machines “passing through.” Many attacks on campuses work by first hacking a university email account, which students and staff will see as more “trustworthy.” Once one account is compromised, particularly an administrative one, the hacker can use this “trustworthy” account to manipulate other members of the same organization. Criminal activities which use deception in order to exploit individuals and organizations, such as phishing, are collectively referred to as social engineering. One of the simplest ways a hacker can compromise many accounts is to gain access to an under-secured student account, and then use the trusted organizational email to send out phishing emails to a large number of students and staff.

What value do these accounts have? A resourceful criminal would likely know that some people are bound to use the same password for their school account that they use to secure their bank account. Criminals might also attempt to acquire and sell sensitive information, or to lock a valuable hard drive and hold it ransom. Colleges will likely continue to experience phishing attacks and similar threats for the foreseeable future, because these targets will offer hackers an opportunity to make a significant profit with little effort.

So what is being done? Your UMBC account filters out many different spam and unsolicited emails. UMBC’s DoIT (Division of Information Technology) is working everyday to identify and block new spam emails. And as new attacks come to their attention, you will see alerts appear on DoIT myUMBC group page, or receive an email from the police. So what’s our last line of defense, for those attacks that “fall through the cracks,” making it to your inbox? That’s where you come in. By staying well-read on cyber threats, securing your own online presence, and tuning in to campus fraud alerts, you can make UMBC’s network more safe for everyone. Read up on Phishing Red Flags on doit.umbc.edu/security, and more by checking out our MyUMBC Page. my.umbc.edu/groups/bethekey