H 35°, L 21° | Tomorrow: 
H 22°, L 8°Phishing scams, fraudulent e-mail and website scams to steal personal information have become an growing problem on the University of Wisconsin campus over the past school year, according to university officials.
In response to a large breakdown of online campus security last fall, university officials started a new initiative to crack down on the problem.
Jim Lowe, chief information security officer at UW, said last semester, one phishing e-mail scam was sent out to 6,300 students and staff.
Ninety five of those students and staff, or just over 1 percent, gave up their credentials in response to the e-mail, creating a large problem for the UW list server and the DoIT Wiscmail team.
A typical phishing scam consists of an e-mail from the “campus help desk” or other legitimate university office claiming victims must reset their username or password due to maintenance work being done on the system. The usual targets of phishing schemes are the officials working in the department the scam claimed to be sent from.
“It only took the response of a few people for the scammers to create a problem,” Lowe said. “Most of the Wiscmail team was working around the clock to prevent the loss of services because of that breach of security.”
Consequently, UW started an awareness campaign to educate students and staff on the types of scams and their dangers while also strengthening the filtering system for e-mails and sending out a generic message when a new scam is found.
One of the difficulties of stopping online personal identity scams is the ever-changing framework of the newest scams.
Brian Rust, senior program administrator for UW communications, said the key to stopping phishing is awareness and keeping security ahead of the newest scam tactics.
“Some of the most recent scams are more personal as scammers have realized that the general public is becoming more savvy to their techniques,” Rust said. “For instance, a scammer will engage a person with more one-on-one dialogue so that the victim lets down their guard.”
Despite the university’s efforts, a significant number of students, faculty and staff continue to disclose their personal identity information in response to fraudulent e-mails and websites, according to university officials.
Before phishing scams became a problem, some UW departments asked for their staff to verify or change their username and password via e-mail. This policy initially confused many people, but UW is now working with departments to eliminate the e-mail requests.
“University departments will not ask you to disclose personal information via e-mail,” Lowe said.
Lowe went on to say that UW’s focused message is not to entrust your personal information to anybody you do not know, whether by e-mail, website or phone.
For more information on how to identify e-mail scams and phishing, visit UW’s website on anti-phishing or watch UW’s anti-phishing video.
IP hash: e89230f8
On a campus, I can imagine that you can walk around to ask people to change their passwords, etc. But, otherwise, email can be made a lot more safe if the sender uses DKIM or SPF authentication. Users should always have anti-phishing software (often an easy plug-in) that will ping the sender’s server to see if they really did send a particular email.
This isn’t rocket science. My company has this feature in a free email plug-in (Gmail, Outlook, Hotmail, Yahoo!Mail) where we get our money from corporations that want to make sure that you trust that their email is real as well.
Does your IT Department want to participate in a free beta program with a large American company that will put the school logo (favicon) in the students’ inboxes for all authenticated email?
If so, please contact me and we will help you put phishers out of business.
IP hash: 4ddd4758
Allen, I don’t think you quite understand the nature of this type of phishing attack.
IP hash: 97d91588
Does this amount of phishing attempts have anything to do with the University selling off our email accounts to interested parties?
IP hash: e89230f8
From what I understand, the phishers do not have access to the university server, which means they cannot “sign” email for authentication via DKIM or SPF. There are various free plug-ins the students can use, including SenderOK, that will put the University Logo in the inbox ONLY for email that has officially come from the university server. The students would be told not to respond to an email that does not have the university logo in the inbox and embedded into the header panel. Phishers won’t be able to beat that unless they previously got you to download their own plug-in.
Their “Campus Help Desk” email would be bare…without a logo in the inbox.
All bets are off if someone tries an inside job from within the administration. But that is less likely.
If the school sells email addresses to third parties, that would be a spam issue and not a phishing issue.