Originally published in Issue 14, Fifty-First Year of The Minstrel (May 4, 2017).
Cyber criminals are increasingly targeting college students across the United States and DeSales students are no exception from phishing, employment offers and ransomware scams.
The National Cyber Security Alliance (NCSA) reports that 72 percent of Americans believe their accounts are secure with only usernames and passwords, but every two seconds there is another victim of identity fraud.
The end goal for these criminals is to gain personal information such as birth dates, Social Security numbers, bank accounts and more. This personal information can then be sold for money on the Dark Web, which allows users to remain anonymous and untraceable from getting into legal trouble.
Besides money and personal information, .edu emails can be valuable in order to gain access or discounts to software and other products reserved for members of a university community, which is why technical school email addresses are most often the targets of attacks. However when broken down by state, the largest number of emails being sold on the Dark Web come from California, New York, Michigan, Texas and Pennsylvania.
Phishing, the fraudulent practice of sending emails in order to gain personal information, is the most common type of scam at DeSales.
A lot of DeSales students have fallen for password reminder scams. One of these emails told students to renew their password by clicking a link that actually went to christmastourhouse.com.
According to Director of Information Technology Patricia Clay, it is very easy to fake the name that is seen on email addresses. A cyber criminal could easily make the email name read “Help Desk” or “DeSales” but if the address bar is hovered over, it will then read christmastourhouse.com or some other website not related to DeSales.
“We haven’t seen very sophisticated attacks, but in some of the more sophisticated attacks, it’ll pretend that it’s Bank of America and actually copy Bank of America’s logos and put it on their e-mails,” said Clay.
“It’s almost always a bad practice to click that link from an email if you’re not 100 percent sure that you should,” Clay added.
IT usually finds out about the scam through students reporting it or through monitoring.
Once IT is aware that students have responded to a phishing scam, the account is disabled and the password is changed. Then IT reaches out to the student whose account was comprised and has a conversation with them to find out what happened.
With company websites that have been compromised, criminals have lists of email addresses and can check which emails are still actively being used to login to websites. Criminals sell these emails and passwords on the Dark Web.
“They take that list of username and password combinations and they script that to go log in to different websites,” said Clay.
For example, if a criminal has a Yahoo username and password, they will then check that username and password on any other websites with logins such as Facebook or bank accounts.
Although awareness about phishing is increasing, victims keep falling for the scams.
“As long as phishing scams are still successful, they’ll keep doing it,” said Clay.
Job scams are an ongoing epidemic that received FBI attention in January 2017. Stop. Think. Connect., a global online safety campaign, sent the FBI’s warning on employment scams that target college students to DeSales IT.
The scammers pose as employers and send job postings to students about a remote job. Then they send the student a counterfeit check in the mail and tell the student to cash the check. With that cash, the student is asked to buy a money order and send it to a certain address.
Often times the check does not come up as fraudulent until the bank processes it and by then the student may have already lost money in sending the money order.
Earlier this year, a job scam occurred with someone named Susana Ozoria sending a job announcement email for a personal assistant through Bulldogs 4 Hire.
Assistant Director of the Career Development Center Melanie Vallone explains that the email came through Bulldogs 4 Hire (desales@csm. symplicity.com) because the employer created a fraudulent email address and posed as a legitimate company to create a Bulldogs 4 Hire account.
Vallone says three or four students received the check in the mail with one student coming very close to sending the money order. This incident was the first and only breach through Bulldogs 4 Hire.
“What makes it really tough is that we promote Bulldogs 4 Hire as a great way to post your resume—and safely—because it’s almost job search while you sleep. Employers can look if you’ve made your resume visible to employers,” said Vallone. “That’s when I work really hard to make sure employers are legitimate viable employers that are looking at our student resumes.”
Vallone calls up many local employers to make sure real people at their companies requested accounts on Bulldogs 4 Hire.
According to the Internal Revenue Service (IRS), companies are increasingly becoming targets of scams as well with cyber criminals posing as company executives or the government and asking for W-2s, which contain Social Security numbers, dates of birth, addresses and other personal identifiable information.
“Ransomware is where somebody tricks you into opening, usually a document or a file that has software in it, and what it does, is it encrypts files on whatever computers or computer you have access to,” said Clay.
After this occurs, a message pops up on the computer ordering the person to pay a certain amount of money in Bitcoins, an online currency, within a certain amount of time. The threat is made that if the deadline is not met, all the files will be permanently inaccessible.
This is when Clay hopes that the person regularly backs up their files and can ignore the ransomware. Unfortunately, some hospitals have paid the ransom in order to obtain access to patients’ records.
“I haven’t heard of cases where people pay the ransom and don’t get their files decrypted, but again, you’re dealing with a criminal,” said Clay, so someone could send the money and not get the files back.
DeSales did have a ransomware incident where a student received an email that looked like it was from their own personal account with a word document inside.
Ultimately, the cyber security industry hopes that artificial intelligence will aid in picking up suspicious emails.
Protection against scams
IT protects the network by keeping a good encryption between the systems students interact with. There are multiple levels of firewalls and segmented networks.
“I want the next generation of our students going out into the world and not be the people falling for phishing scams at their jobs,” said Clay.
She reiterates that students need to have a lot of skepticism. When students are not sure if emails are legitimate or not, students can forward emails to firstname.lastname@example.org; however, “when in doubt, delete it,” said Clay.
If a password is compromised, be sure to make sure that password is not used for any other login or that site can be comprised as well.
Students should use a different password for everything and although that sounds like a difficult feat, free password-manager websites and apps, such as LastPass and 1Password, allows all of a student’s passwords to be stored in one place.
Strong authentication, also known as multi-factor or two- factor authentication, is a great tool to utilize as well. Many websites and apps offer this to protect accounts and ensure it’s the account owner, not criminals, accessing the account.
The three most common types of strong authentication are by using a security key (a small device, such as one that plugs into a USB port, to use when logging in), biometrics (such as fingerprints or cameras) and one-time codes (sent to you by a text or through an app to be entered into the website when logging in).
In the case of job searches, always be skeptical of offers that sound too good to be true. If the email says the recipient already has the job, when he or she never applied or was interviewed, the recipient should not respond. Many of the scammers are not native English speakers so look for poor grammar and spelling. Any companies asking for personal information are red flags as well.
Vallone suggests that when posting resumes on public sites like Indeed or LinkedIn to only list cities and states. Do not post full physical addresses online.
Overall, the more people become connected to the Internet, the more ways there are for scammers to find them so it is increasingly important to be skeptical and know how to protect personal information.