Scammers phish for student emails
Feb 11, 2020
Information and Technology Services sent an email on Feb. 7 warning students of phishing scams disguised as job offers. According to the ITS phishing guide at SF State, “Phishing is an attempt to acquire sensitive information by pretending to be a legitimate or trustworthy entity.”
This is done by email or text message and usually has some form of link to redirect the receiver to a fraudulent site in order to trick them into putting in their username, password, social security number, etc., in order to hack their accounts.
One fraudulent email claims there is additional information needed to receive financial aid. This phishing scam email is intended to get the receiver to click on the email so that it could then redirect them to a fake SF State login website page.
This phishing scam is aimed at tricking students into entering their login information on this fake sign-on page in order to receive their username and password. Entering any information pertaining to a student’s bank account is targeted in order to get a hold of account and routing numbers.
Aliyah Murphy recalls opening an email on Sept. 19 from a sender without credentials suggesting that she click on the link below from Paypal to authenticate her account. Murphy never entered her information, but engaging with the email was enough to fill her inbox with spam less than a week later.
On Sept. 24, 2019, Murphy began receiving a barrage of sexually suggestive messages to her student email. They continued all night and all she could do was turn off her notifications.
Murphy said she went to ITS; they locked her out of her student account and installed antivirus software. This process took about two weeks and her professors had to send her assignments to her personal account.
This isn’t the first time that Murphy has gotten a suspicious email claiming to be from the university.
“I had an email once that said I got suspended from the school and then I called the school and they’re like ‘that didn’t come from us,” Murphy said. “And I clicked a link because it was like, ‘to view your report.’”
Scammers also target university employees for their access to mass amounts of student, staff and faculty information.
ITS sent 3,566 simulated phishing training messages sent to SF State employees as part of their January 2020 Security Awareness Campaign. 11.3% of SF State employees responded to the simulated link that’s designed to collect the susceptibility rate of those who responded. This rate increased 3.83% compared to the November 2019 campaign results.
The ITS team is working on a device and app called Duo, to be used for multi-factor authentication (MFA), according to Nish Malik, the associate vice president and chief information officer in the ITS department. Malik is responsible for working on providing students, staff, and faculty with new solutions to prevent phishing scams from victimizing anyone on campus.
Duo is a keychain that has a specific code connected to personal accounts and notifies the person when an account is logged into. Once verified, then the person is able to access the account online. This browser session expires after 12 hours then the process starts again.
“What I want you to get from MFA is your password. You enter your password. You could be using your password in 20 places but this thing, the code, it puts in a second layer of protection, which hackers can’t get to,” Malik said.
“Once we have rolled-out MFA to all faculty, we will work on developing a plan for rolling the same out to SF State students as we take protecting our data very seriously,” Malik said.
There is not an exact date for the MFA readers to be distributed, but students are to expect this new supplement within the year.
For Sunshine Buitrago, this suspicious email arrived on Feb. 1 disguised as a job opportunity.
“The email was actually this girl looking for dog-sitting. So I’m a dog sitter, I’m a dog walker so to get emails like that it’s pretty normal for me,” Buitrago said.
The sender was a random person who advised Buitrago to email them through her personal email. From there the sender went on by giving a two-paragraph long description of why they needed a dog sitter.
“So her offer was $350 per week to watch her two dogs for nine hours per week. One, yes I do make pretty good money dog walking but that is a lot of money,” Buitrago.
Buitrago said she also knew something was wrong when the sender was willing to put their personal information in an email rather than meet in person.
Students have become victims of phish scamming with alluring various subjects. Some of the subjects are job opportunity, revalidating your account, personal assistant, and reviewing a job and confirming applications.
In order to prevent fraudulence, students are advised to directly use the SF State website instead of links through emails.
“Universities become more and more of a target because there’s a lot of individuals that are in universities, said Mary Morshed, the information security officer in ITS. “There’s also intellectual property that is housed in universities, a lot of research happening.”
Students are advised to report suspicious emails to ITS if they are experiencing any fraudulent activity. Instructions for reporting are available in the How to Report Phishing Websites Guide.