IT News & Events

News about IT at Indiana University and the world

Menu

IDS: Email phishers target IU students

IU cybersecurity experts Von Welch and Tim Goth weigh in on how to stay safe online

(This article originally appeared in the Indiana Daily Student: http://www.idsnews.com/article/2015/11/phishing)

It all begins with an email, Tim Goth of IU’s Public Safety and Institutional Assurance said.

In carefully crafted emails, hackers can pose as the University, University Information Technology Services or even students to request private information, such as account passwords, an IU passphrase, telephone 
numbers and more.

It’s what email phishers use to gain access to personal accounts, such as those for banking or university information.

“It’s basically someone trying to trick another person into believing the authenticity of a message, and then they are using that to gain information or to gain 
access,” Goth said.

Von Welch, director of IU’s Center for Applied Cybersecurity Research, said email phishers typically use something scary in their emails to prompt quick action from respondents. Such emails could claim IU accounts may be frozen or email discontinued if personal information is not shared.

Welch said online banking is one of the most common schemes used. Hackers can use the information to drain victims’ bank 
accounts or launder money.

Goth said once an attacker is given a corresponding IU username and passphrase, they gain access to University account information such as the bursar, meal plans, scheduling information and more. Phishers could next try to share or sell this information for profit or disrupt personal 
accounts.

Frequently, email phishers will use contact information from one compromised 
account to expand their network and prey on a wider network. 
Some send out thousands of 
emails per day.

While Goth said it’s impossible to prevent receiving the malicious emails, the best thing a student can do is to be aware. Do not open emails from unknown addresses and do not give out 
personal information.

“We live in a society where we’re kind of programmed to keep that inbox down to zero or the notifications on your phone down to zero,” Goth said. “But just because you have an unread email in your inbox doesn’t necessarily mean you should open that email, especially if it’s not from someone you’re expecting an email from.”

Welch said 95 percent of 
attacks result from the victim’s clicking a suspicious link in an email and entering a username and password. He said the best way to prevent an account from being hacked is to google the website address for any business an email might claim to be before following a link.

“It’s mostly just being a little bit leary of the links in the emails you receive,” Welch said.

Goth said IU and UITS will never ask users to identify personal information or request a username and 
passphrase via email.

“It’s a lot of constant vigilance both on the part of our user base, as well as part of the staff of the information policy and security offices, to ensure that we can do everything we can to try to stop this,” Goth said.

If someone believes they have fallen victim to a phishing scheme by opening a suspicious email, Goth advised they immediately change their passphrase, imail or umail vendor password and report the incident in an email tophishing.iu.edu.

Within an hour of the report, Goth’s team will work to file an official abuse complaint against the malicious website’s host and create a sinkhole, redirecting future website visitors away from any associated link requesting personal information.

Goth’s team also has the power to scramble passphrases for those unaware that they may have been phished. However, because of IU’s strict privacy policies, Goth and UITS cannot access or read user emails to assist in taking preventative measures, and therefore rely on reported information.

“We have to rely on the reports we receive,” Goth said. “If we don’t get these reports, we have a gap in our security that is very difficult for us to address.”