University Police issued a crime alert Wednesday afternoon that reported some University staff had been victims of spear phishing, the use of false e-mails designed to trick recipients into revealing confidential information such as a password by impersonating University websites and services.
Staff who had given up their password enabled suspects to use their University accounts to divert their direct deposit paychecks for approximately 10 individuals and access personal information that could eventually result in identity theft.
University spokeswoman Diane Brown said though crime alerts are typically reserved to alert the community of physical crimes, the severity of the recent spear phishing cases had become a public safety concern.
“This is one of the first times that we understand that folks … got tricked by the e-mails, and gave out their information, and then it was used by criminals to conduct fraud,” Brown said. “We want to be sure that as many people as possible are aware of how sophisticated the attacks have become and what the end result might be.”
Brown said Information and Technology Services has long gone through efforts to educate the University community about recognizing a phishing e-mail and has always been working either internally or through vendors to improve its filters to catch them.
“It is a constant process but it can’t rely on one thing … so we all need to be aware of what we need to do (in being safe online),” she said.
Brown said the “nuts and bolts” of the investigation will be conducted by ITS, while there will be additional work for investigators at the University Police Department.
University Chief Security Officer Paul Howell said there has been an increase in the sophistication of spear phishing attacks over the past several years and that this was first one to have a large impact.
He said criminals often create exact mock-ups of login pages to steal information.
“Unless you are very careful in looking at the URL the webpage is on, you may not notice that you are about to enter your username and password into a website controlled by a criminal,” Howell said.
He said the best defense against spear phishing, aside from updated security measures by ITS, was to be educated on what was a valid website to enter personal information into.
“There really isn’t a technology or technical solution (except) for people being aware of the risk and being suspicious when they open these e-mails and not afraid to ask questions,” he said.
In the future, Howell said ITS was always looking ahead to learn from and prepare better security measures, including updated filters to keep out spear-phishing e-mails.
“We are constant evaluation mode for future threats and looking at ways to protect ourselves.”