default article image

Phishing Scam Sent in Email to Students and Staff

An email containing a phishing scam was sent to students and faculty over the summer on July 17.

The email’s sender claimed to be a representative from Monmouth University notifying everyone of an important meeting. The phishing email read, “Dear User, this is to notify all of an important meeting which is scheduled to hold 18th July 2018.  Click here for details.”

“Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details for malicious reasons, by disguising as a trustworthy source in an electronic communication,” said William Reynolds, an adjunct professor of computer science and software engineering. He explained that phishing emails can include links to websites that install malware. 

“One of the most difficult things about phishing is that it is viewed as a technology problem, when it is simply age-old scams that are exploiting new technologies,” said Edward Christensen, Vice President for Information Management. According to him, the best way to avoid phishing schemes is to be informed about what red flags to look for.

“I did happen to encounter the phishing scam email… The average user does not think twice about phishing emails,” said Kyle Frankenbush, a junior computer science major. “If a user does fall for a phishing scam important information like credit card information, social security numbers, and passwords can be taken and then exploited by the source of the phishing scam.”

Christensen said that the University systems currently utilize several anti-spam and malware detection services to identify and delete phishing emails before they make it to their intended recipients.

These systems tend to filter out nearly 70 percent of scams, preventing them from making to University inboxes. Unfortunately, it only takes one email to risk a user response that may compromise the individual’s credentials. Christensen also explained that scammers use “behavioral and social engineering” in order to get users to respond and supplement this method by reverse engineering the anti-phishing software methods to create emails that will get past the filters on email inboxes.

“In all phishing cases, steps are taken as soon as Information Management is made aware that include disabling any Monmouth accounts that were used to send phishing emails, and [changing] passwords to compromised accounts,” said Christensen.

Information is also added to the University spam and malware filters as a preventative measure. “The best way to prevent phishing from being successful to never click on a link in an email,” said Reynolds. “Just clicking on a link can put malware on your computer.”

“Among the best practices are to never send personal information in an email and to be wary of any document or link from an unverified source that asks for your credentials. At Monmouth, most of the systems that require your username or password, can be accessed via the MyMU portal, so instead of following the link go directly to the portal and login from there,” explained Christensen, stressing that this is important for financial accounts as well as others.

“Whenever a system offers you the ability to enable multi-factor authentication take advantage of it,” Christensen said. “Multi-factor authentication is often used in financial services where you register a phone to validate your login via an application or text to that device. You will see more of this type of authentication being made available at Monmouth.”

These troublesome emails can do real damage. “Phishing scams can steal your identity as well as freeze your computer until a ransom is paid,” said Reynolds. Christensen also stressed the threat of identity theft, fraud, and use of a victim’s personal information for criminal activity as potential risks of falling for these scams.     

Reynolds detailed earlier issues with phishing scams from the past. “I have had limited success by restoring my PC to a date before the phishing scam occurred and was able to gain access to my computer.  Your banks and credit card companies will generally work with you to undo some of the monetary damage,” he said. 

“One word of advice that I’d like to offer is [to] never use your debit card online or at a shady looking gas station or store,” Reynolds added, stressing the importance of protecting personal information in all situations.

“Once that money is drained from your account it is almost impossible to retrieve.’ Credit card companies can freeze your account and issue you a new card [although] in most cases, the charges will be forgiven.”

Christensen advised those who suspect they have become victims of phishing to change their passwords and call the Help Desk at 732-923-4357 if their school account was affected.

“Cybercriminals are often sophisticated in how they craft their emails to avoid detection, so our efforts are strengthened when users bring suspicious emails or unauthorized access attempts to our attention as it allows us to act quickly,” he said.