The University of Michigan Ford School of Public Policy was the target of phishing scams this past week after Public Policy students, faculty and staff received an email last Tuesday from phishers masquerading as staff members inquiring about their recipients’ schedule availability.
In an email statement to The Daily, Sol Bermann, University interim chief information security officer, explained phishing is a phenomenon that affects organizations worldwide.
“Phishing remains the most common method used by cyber-criminals to get unauthorized access to systems and data,” Bermann wrote. “U-M, and organizations the world over, are constantly being plagued by phishing attacks. There is no technical way to stop them all. Instead, we rely on the University community to understand how to identify and avoid phishing at work and in their personal lives.”
In an interview, Bermann told The Daily while Google’s barriers act as the biggest defense against phishing attempts, the University supplements such systems with its own tools, like a Chrome extension built by Bermann’s team and Information Assurance.
“We have a lot of threat intelligence tools that feed our network defenses, like our firewall or intrusion detection devices,” Bermann said.
Bermann also said while phishing attempts have become sophisticated over the years, they are not nuanced enough to assume phishers would specifically target the Public Policy School or even higher education institutions as a whole. Part of the reason, he explained, is because they’re often sent by the millions.
He expressed his belief the recent Public Policy School phishing storm is part of such a widespread attack.
“Those seem more of a routine phishing attack, and I don’t know that it’s just attacking or just targeting Ford,” Bermann noted.
So far this year, the University has released 26 phishing alerts. One email impersonated the University Library, while another appeared to be from University President Mark Schlissel.
As far back as 2005, students and staff fell victim to phishing emails that asked for their TCF Bank account information. There have been several more instances reported over the years, such as fake payroll emails in 2018 and spear phishing attacks that targeted University staff in 2013.
To help prevent such attacks, the University implemented Duo Two-Factor Authentication early last year and has a section titled “Phishing and Suspicious Emails” on its Safe Computing website.
Public Policy junior Maeve Skelly said she has received phishing scams before and deletes them when they appear in her inbox. She noted the emails often include bogus job postings and said she was unaware of the prevalence of phishing attacks. She last received a phishing email in May.
Skelly also expressed concern about the danger that such phishing attempts pose to students.
“The fake job postings are kind of scary,” Skelly said. “People who are desperate for internships, or want to just get a job for money — those are scary to think about, that those might be fake and your security could be compromised.”
Bermann explained to The Daily that phishers sell a person’s information via the dark web, which hosts online content that requires non-traditional browsers to access. Illegal activities, like arms trafficking, often take place on such sites.
“Often what we see is that compromised accounts are not immediately used, but they may be sold to the highest bidder on the dark web version of eBay for identities,” Bermann said.
Public Policy junior Jack Eichner explained he does not recall being sent a phishing scam to his University email. While he, like Skelly, does have concerns about phishing attacks, he echoed Bermann’s sentiment that they are inevitably ingrained in the use of technology.
“To be honest, it’s something that every big organization deals with,” Eichner said. “So, while it doesn’t make me feel great … it’s more of a reflection of the rising issues that come along with an increase in technological advances.”