EMMA PIRHALA / NEWS EDITOR

One type of message fills the inboxes of students and faculty alike: scam emails. Phishing emails, or messages that ‘fish’ for certain information, are utilized by hackers to gain access to sensitive and private information. Many students receive phishing emails in the form of job postings, which promise hefty stipends for minimal work — with a caveat. You often need to provide a Social Security Number (SSN) or other personal information in order to apply for these positions. In some cases, these scams resemble legitimate messages. However, others are  recognizably fake. Some students have received emails that impersonated President James T. Harris III and requested  their contact information. 

USD  senior Diana Smith shared how real some phishing emails are. 

“Well, they make it seems so real,” Smith explained. “And then they bring up things like tuition or like financial aid, and I’m not gonna like, I’m not gonna joke about that. And so I click on it, but then they’re joking.”

USD Associate Vice President and Chief Information Officer of Information Technology Services (ITS) Elazar Harel provided insight into phishing emails and why they flood students’ inboxes.

“When users enter their credentials or personal data, attackers may  gain access not only to their accounts but to the entire network, making the university an appealing target for phishers to penetrate,” Harel explained. “They especially look for people with weak security awareness who are not familiar with cyber attacks. Students and faculty receive them because educational institutions are one of the prime targets due to the vast amount of personal data they hold.”

Phishing emails are becoming far more advanced and convincing than in the past. The increasing power of artificial intelligence streamlines hackers’ activities by improving the quality of the messages, making them more persuasive. Many phishing emails utilize compromised email addresses within an organization’s domain to build credibility and gain trust within a network. For example, a phishing email sent to some students and faculty members on Sep. 16 came from an email with a USD domain. The convincing job posting received attention from those in the USD community due to its apparent trustworthiness.

Once attackers acquire access to the victims’ accounts, they may drain assets from financial accounts, breach important data or impersonate the identity they stole. To prevent phishing, ITS utilizes a variety of methods to promote awareness. Duo Mobile, a multi-factor authentication tool, used by all USD students and faculty reduces the risk of accounts being stolen by hackers. ITS reported an incident where USDOne accounts were compromised when targets due to the vast amount of personal data they hold.” 

Phishing emails are becoming far more advanced and convincing than in the past. The increasing power of artificial intelligence streamlines hackers’ activities by improving the quality of the messages, making them more persuasive. Many phishing emails utilize compromised email addresses within an organization’s domain to build credibility and gain trust within a network. For example, a phishing email sent to some students and faculty members on Sep. 16 came from an email with a USD domain. The convincing job posting received attention from those in the USD community due to its apparent trustworthiness.

Once attackers acquire access to the victims’ accounts, they may drain assets from financial accounts, breach important data or impersonate the identity they stole. To prevent phishing, ITS utilizes a variety of methods to promote awareness. Duo Mobile, a multi-factor authentication tool, used by all USD students and faculty reduces the risk of accounts being stolen by hackers. ITS reported an incident where USDOne accounts were compromised when students and faculty accepted false calls or push notifications from Duo Mobile. In light of this event, ITS recommends that USDOne account holders report any spam calls or notifications from Duo Push, as they may indicate a hacker is attempting to gain access to their account.

According to their website, ITS launched the Phishing Awareness Program in 2017 in partnership with KnowBe4, a security awareness training tool. The objective of the program is to raise awareness about the dangers of phishing emails by targeting outreach to those with weak security awareness. To target cyber security training programs, ITS regularly sends out phishing emails to students and faculty. Those who access the links in the emails are redirected to a training module, which informs students and faculty about how to detect and avoid phishing emails. 

Simulated phishing emails prompt students to learn about cyber security. Shannen Swars/The USD Vista

Harel explained the thought process behind the artificial phishing attacks. 

“Combatting  phishing attacks requires awareness among patrons,” Harel stated. “The simulated phishing messages are, in fact, real phishing scenarios. We do this so users become more vigilant, familiarize themselves and avoid phishing by providing timely learning opportunities and strengthening a security culture…These simulated messages enable us to measure the vulnerability of our campus community by tracking the statistics that can show us who are most vulnerable to phishing attacks and what type of phishing attacks are ‘successful.’”

Some students and faculty have fallen victim to the simulated phishing emails. USD first-year Aaron Hernandez shared his experience after succumbing to the artificial scam messages.

“Yeah, I’ve seen them because I got it once before,” Hernandez said. “I got an email and I just I was like, what is this? Because I kind of thought it was like I was in trouble. So I just clicked on the link and it’s like, ‘you’ve been  phished.’ If you see a link like this, don’t click it because this is what happens if you do, people steal your information and things. And itt looked official, like it looked like it would be from somebody from USD. I mean, like they gave a picture in an example and everything.”

Detecting scam emails can be difficult, however, there are telltale signs of phishing that ITS recommends looking for. Students and faculty should avoid clicking links from messages that require action be taken immediately. Caution should also be taken when the emails are vague or generic. USD sophomore Gavin Emerzian shared his experience with an email that was, in fact, a scam.

“I usually can easily spot when the email sent to me is actually a USD phishing email,” Emerzian said. “The weirdest ones were telling me that a fake email was attached to mine and I needed to click a link to verify it was not affiliated with mine.”

October is National Cyber Security Awareness Month (NCASM) and ITS plans to launch campaigns to further spread awareness. NCASM is a partnership with the Department of Homeland Security, the National Cyber Security Alliance, and NCSAM Champions such as USD. 

Each week in October, USD community members can learn more about cyber security through different modules, including phishing, password security and data, social engineering, viruses and ransomware. Students and faculty attempt to remain vigilant as these ‘phishy’ emails pop up in their inboxes. 

Daniel Miranda/The USD Vista