By Harry Rowe | Staff Writer
A phishing cyber-attack occurred this week, leaving potentially hundreds of students’ information at risk. Phishing occurs when hackers make emails appear as if they are coming from a reputable source.
The phishing attack, sent through emails, attempted to have students enter their Baylor sign-in information through a link. Once a student entered that information, it used that student’s account to send out more emails to all of their contacts.
“A lot of times the way we talk about this is a social attack or social engineering,” said Jon Allen, chief information security officer and interim Chief Information Officer. “People are using social skills. They phished one account — they’re going in and saying ‘Hey, here’s an email people might respond to,’ adding a link to it, sending it on to some other people and you just get that spider effect.”
Phishing emails can be complicated to identify sometimes, considering they use information from real emails, like subject lines, to appear legitimate, according to Allen. They have a range of goals, but they focus primarily on getting account passwords and sending out scam emails that potentially steal the user’s information.
“We have seen them where they’ve actually cloned the website exactly, and we’ve seen them to where it doesn’t look like anything we’ve ever used on campus. You get the whole range of folks doing this stuff,” Allen said.
Allen said it’s important students realize when they are being sent potentially dangerous emails, since there’s nothing Baylor’s Information Technology Services (ITS) can do to help once the attack has been completed. He encouraged students to be conscious of what emails were asking them to do, and to even send an email to the ITS help desk asking if it is legitimate.
“If you’re clicking a link and your next action is putting in a username or a username and password, it’s on you,” Allen said. “There’s nothing we can do at that point to prevent you [from being phished].”
Allen strongly recommended students follow @BearAware on Twitter, an awareness system specifically related to information security. He says it not only provides much faster and effective communication than email, but it is able to be updated with very frequently. According to Allen, the first two weeks of school both included 80 students who had had their passwords compromised through phishing. In last night’s attack, that number was over 100 students.
Nashville Baylor sophomore Stoll Speer received an email on his Baylor account with a subject titled “NO PRACTICE ON LABOR DAY.” Since Labor Day had passed, he was able to identify it as a fraudulent email.
“It looked like a regular email for the most part. I originally thought it was a notice for the rock climbing club I go to, but the subject of the email gave it away,” Speer said.
Allen said a DUO authentication for email is being tested by 600 students and may be rolled out to the student population soon. As bad as this attack was, he said it is important to realize that Baylor’s extensive DUO authentication system helps fight against things like this.
“A big part is that even if you give away your password, without DUO they can’t get into your account. That really changes the bar; that’s a big difference,” Allen said.