SF State’s Information Technology Services unit fights email phishing scams

Amid an increasingly technology-based work environment, an illegal industry aid to steal personal information was born.  In an effort to raise awareness of the new challenge, Cyber Security Awareness Month is celebrated every October. 

Today SF State students face a  threat known as phishing scams. Most scams are email-based and Associate Vice President and Chief Information Officer of ITS Nish Malik, believes that phishing scams are the most significant issues facing SF State students and other CSUs.

“It’s prevalent both in public and private enterprises, so it’s something we have to learn to deal with,” Malik said.

Phishing scams often appear legitimate because they mimic a genuine message from someone familiar or from a legitimate email address. Phishing messages may contain links that navigate users to fake web pages. 

“Phishing is trying to get your account and password,” Malik said. “Once they have your account and password, they’re hoping for your level-one data, credit card information, Social Security, your checking account, whatever that might be. And maybe your other financial aid matters that we may not be privy to, like loans and things like that.”

Senior Director of the Cloud and Systems Services Dimitry Vayntrub said that phishing is an enterprise because hackers spend money to make money.

“Officially the cheapest one, [phishing] costs almost nothing,” Vayntrub said. “For the high volume, phishing is the one anyone can do in a blink of an eye.”

Malik said SF State catches around 70% to 90% of phishing emails by blocking them with a firewall.

Vayntrub added that on a scale of about 1 million emails a week, 15% of emails they receive are legitimate and 85% are filtered out.

Vayntrub said his team implemented a feature called ‘savings,’ where they can control all URLs from phishing emails, even after an email was received or if it’s from a location  They can block it without attackers noticing.

“If it’s within our system, we have controls, we can delete malicious email, we can do other things,” Vayntrub said.

But Malik said students are not the only ones falling for phishing scams, as some faculty and staff have as well. 

Senior Director and interim Information Security Office of ERP & Business Intelligence Tuan Anh Do said one thing they have done as a preventive measure is locked down all the information in the SF State’s system. 

“We’ve locked down a lot of information in our systems,” Anh Do said. “We’ve done encryption on key information like banking information, SSN and date of birth so that if somebody does get in, they can’t get a lot of stuff.”

According to Anh Do, they get between five to seven compromised accounts a day.

He said a big part of stopping phishing scams is to educate people on their risks. 

Two weeks before the semester, the campus community received an email with a list of what to do to become vigilant and help protect against phishing scams.  

Anh Do’s team also conducts an interactive campaign.

“We do phishing campaigns, which is our way of sending out phishing emails to faculty and staff,” Anh Do said. “And what happens is they click on the link, it tells them, ‘Oh, hey, you clicked on a Phish meat email. Here’s how you can educate yourself.’ If they report it, it tracks that as well.”

Phishing scams can reach thousands of people if they compromise the proper account.  Vayntrub said ITS takes on Office 365 to prevent a high volume of people from getting compromised. 

“For example, we run reports, we try to find them as soon as possible because those are signs of compromised accounts, sending malicious emails,” Vayntrub said.

Vayntrub has seen around 1,000 to 10,000 messages sent from a compromised email.

“Once your account gets compromised, we will lock the account,” Anh Do said. “And we will notify you through your non-SF State email that your account has been compromised and that there’s a cleanup process that needs to go through.”