Phishing—that is, a cybercrime where a target is contacted by email, phone or text message by someone pretending to be a legitimate institute or person in order to trick the target into revealing personal information, such as passwords or credit card details—is hardly a new practice. And yet, watchful students and faculty may have noticed a recent uptick in warnings from administration to be on the lookout for spam emails penetrating the New College bubble. But with how much the coronavirus pandemic has moved everyone online in the past two years, opportunities for scammers have only increased, even with recent attempts among administration to shrink the number of emails sent out to the New College community. Where phishing is concerned, here’s what to look out for, how to report it and which services on campus can help.
Several warnings have been sent to both students and faculty in the past month to beware phishing attempts. The scams reported at New College have taken many forms, including fraudulent job offerings targeting students directly, pension consultations for faculty and invitations to preview ambiguous payrolls.
Additionally, similar to phishing is spoofing—when a scammer attempts to assume the identity of a New College administrator, staff member or associate. Director of Network & Technology Services Benjamin Foss went on to say that students are especially vulnerable to these kinds of attacks that mask themselves as academic deadlines or announcements at the end of the semester, when they’re expecting emails about financial aid or contracts.
Campus Police Department (CPD) officer and Investigations and Training Coordinator Sgt. John Chirgwin described one phishing report he has recently received as the scammer requesting the tutoring services of the target. The scammer then sent the target a check with a far higher wage than what was offered and asked the target to send them back the difference.
“I was a detective in Cincinnati as well, and that was a common one that might be used on Craigslist,” Chirgwin said. “People would just be so excited that they’re getting above asking price, that they wouldn’t really think about why somebody would do this. And then after they’ve sent the money, that check [they received from the scammer] would bounce.”
In terms of how these scammers are able to reach New College, Chrigwin explained that it’s not a matter of the college being targeted, but more so that these emails are sent en masse to thousands of people.
“They’re crafted very sophisticatedly, but it’s not like some crazy hacker breaking into the systems,” Foss added. “They just sign up for a free Google account, and they script a mass message to the directory of emails they’ve crawled off of websites. That’s a reason why I think colleges are easy targets—a lot of directory information is on public websites for employees, and they’ll just crawl these websites and build a file of all these email addresses and just turn them out indiscriminately, see who takes the bait.”
“There’s been a huge uptick recently,” Foss continued. “Personally, I don’t think much has changed in the last five years, these things have been ongoing. But there’s a lot of news hysteria that there’s been a rampant increase, and there has been, but nothing has really changed from our point of view. We’re doing the same things, trying to block messages and whatnot. It’s all about awareness.”
Being able to identify spam is the most surefire way to avoid becoming entangled in phishing. Some easy-to-spot indicators include: typos, incomplete sentences, inconsistent punctuation or capitalization and requests for personal information early on, or high salaries that sound too good to be true.
“A lot of times, those that have received [spam], they look genuine but if you look really closely, there’s usually tell-tale signs such as the way that word in a sentence is not how we’d usually do it in American English,” Chirgwin said. “It’s a good sign that it’s coming from overseas, and the reason they send them from overseas is because it makes it so hard for us to investigate and do anything about it.”
Additionally, those who receive suspicious emails are advised to check the address: if it does not match the associated business or organization, looks like a personal email or otherwise has a display name that is unfamiliar, there’s a good chance that it’s spam.
Anyone who suspects that they have received a scam email has the option to report it through Google Mail as either spam or phishing.
“Not only does that help Google’s algorithms to block and detect messages, but we as the domain administrators of the New College domain also get copies of that so we can block certain domains,” Foss said. “If the message has gotten through, rather than wait for Google to do anything, we just block it and identify who that message might have reached and see what the impact might have been.”
“Luckily we do have a really good IT department,” Chirgwin said. “They usually are able to give me, in many cases, an IP address of where it came from. And I can issue a subpoena, I can find out which company issues that IP address and find out who that registers to.”
Chirgwin went on to say that while the CPD is limited in how they can help when it comes to scams coming from overseas, the Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3) can provide further-reaching help, and allows people to file various complaints.
Other resources include the Cybersecurity & Infrastructure Security Agency (CISA) division of Homeland Security, the website of which includes various tips for avoiding social engineering and phishing attacks. The FBI also offers resources specific to identifying fraudulent job offerings. Closer to home is Linkedin Learning, available on the myNCF portal, and which offers courses on phishing.
“A lot of the younger generation grows up with this stuff, so they know it better than the older generation, but even myself who works in cyber security, I never think it’s a bad idea to take a refresher,” Foss commented. “It’s really easy to get caught off guard, no matter how tech savvy you are.”
“It’s a never ending game of cat and mouse,” Foss concluded. “One thing gets fixed, and then another vulnerability gets exposed. What I would suggest is keep your machines patched—run your updates, especially security updates. If you ever feel like you may have been a victim, you can start with IT or you can start with campus police and we can do a quick assessment on your machine or review some email logs. The best protection in cybersecurity is the human element, the person behind the computer.”