Due to a recent spike in fraudulent emails coming to UTD accounts, the Information Security Office has increased its efforts to teach internet safety to students.
The emails — referred to as “phishing” scams — bore the UTD logo and requested recipients, specifically students, enter their usernames, passwords or other confidential information into a malicious website.
“This one was rather clever,” said Andy Cummings, UTD’s information security analyst. “I think a lot of younger folks are not really familiar with the dangers that phishing pose. … They tend to trust a little bit too much.”
Cummings said although most students did not believe the email, about 20 did. On an average week, only three or four fall victim. For the ones that gave their information, the “phisherman” immediately used their accounts to send out more spam.
“We shut it down fairly quickly, but unfortunately people still were responding to the email,” he said. “It doesn’t matter how many technical measures we had in place, the big danger and the big flaw is always the human element.”
The ISO changed the password of the students’ accounts that had been compromised, expecting them to call the eLearning help desk on campus to log on to their account.
Nate Howe, the chief information security officer, said about 90 percent of the emails that arrive at UTD are screened and immediately thrown away because they’re obviously spam.
“It’s a step in the right direction, but there’s still the occasional message that’s good enough that it makes it through,” he said. “Our next step is hoping our users, who have that awareness, start reporting it to us.”
Part of the problem with the recent uptick in phishing, Howe said, is students lacking the training the ISO provides faculty and staff. He said because it is difficult to get students to come to a seminar about internet safety, the office instead focuses on community outreach to teach.
Awareness and Outreach Manager Stephenie Edwards concentrates on creating programming for students. Because students’ schedules are so variable, the office has used posters, flyers and boothing to educate.
“We can’t always just get in front of (students),” she said. “There’s not a faculty member saying, ‘I’d really like for you to come to my class and talk to my students about phishing.’”
This fall, she said, the office has considered designing a game offering prizes for students recognizing and reporting examples of email scams. Additionally, Edwards manages the office’s Facebook page, reporting the most recent schemes to look out for.
“Students are kind of in an interesting group because they’ve grown up with phishing,” she said. “It doesn’t make them angry. And that’s something we need to change culturally on campus. Scams and phishing waste your time, they sometimes trick you and they sometimes take your information.”
When fraudulent websites are discovered by the ISO, they block that URL on the school’s internet. However, Howe said, if a student accesses the website without UTD’s WiFi, he or she is unprotected. Next, the ISO contacts the entity hosting the web page and requests it be taken down — which can take up to 24 hours to do.
“Unfortunately, at that point, we’re playing against the clock,” Howe said. “That first 24 hours is very critical to get the word out. … As more people join that conversation and become the eyes and the ears to help the security office, then now it’s not just the security office but it’s the whole community saying, ‘We’re not going to put up with that.’”
Cummings echoed Howe’s sentiments, encouraging students to reach out to the ISO.
“We like being a spoke in bad guys’ wheels,” he said. “For people to join us in that effort would be huge.”