By Aleksandra Sidorova
An alert warning users of scam emails was issued on the MyPlattsburgh portal at 11 a.m. Thursday, Nov. 10. Up to 200 faculty and staff members received targeted emails attempting to scam them out of email login credentials, Chief Information Officer TJ Myers said.
Scam emails are nothing new for SUNY Plattsburgh or any other college — five to 10 get reported to Myers every week. But scammers are “getting more crafty as the days go by” with their emails, Myers said.
Phishing scams are broadcast messages packed with enticing content to trick the viewer into clicking a link and potentially sharing information or money with them. The anti-spam algorithms built into the Google software which serves as SUNY Plattsburgh’s email platform are usually able to filter these messages. What becomes harder to filter is spear phishing attempts — targeted messages mimicking a sender the recipient would know and usually correspond with. Myers said he once saw a spear phishing email using the name of a professor who no longer teaches at the university. Spear phishing attempts are more successful because they can look like regular emails.
The most recent, most real-looking scam email recently sent to 50 to 200 faculty and staff members was one that alleged the school was transitioning to a Microsoft-based email platform and required recipients to set up their account before a deadline. Another example of a convincing scam is a Google Drive link prompting recipients to enter information into a document. Students are especially vulnerable to scams offering low-effort jobs for high pay, often assistant positions for professors who do not exist.
A number of protective measures against phishing scams are in place. Within the past year, emails not originating from SUNY Plattsburgh’s domain contained the “[External]” marker in the subject line. Additionally, students have been removed from the publicly accessible university contact directory, and can now be viewed only upon logging into the portal. This measure has significantly reduced the number of scam emails that make it directly into students’ inboxes. However, this leaves vulnerable faculty and staff, whose information is still publicly available for ease of conducting college business.
Two-factor authentication through the application Duo also improves campus security. Trouble comes only when scammers try to trick people into completing the two-factor authentication for them. No students have been scammed out of money since two-factor authentication has been implemented — a “huge win,” Myers said.
“I know it’s a pain,” Myers said. “We’ve heard various complaints and issues over the last couple of years about the use of Duo, but it actually is a very good protection — it’s another layer of defense to help against getting your account compromised.”
There are also factors SUNY Plattsburgh can’t help. If an account at another college is hacked, the hacker has access to the emails in the account’s contacts, including some SUNY Plattsburgh students, faculty or staff. If a compromised account is discovered, Myers notifies the institution.
While the safety measures help, there are only so many that can be implemented without blocking legitimate emails. The MyPlattsburgh alert is a new mechanism Myers decided to try with the recent scam email attack, but it will not be used frequently.
Myers routinely sends out emails with advice on avoiding scams, but emphasized the importance of user education.
“What I’d really like to see is some sort of mandatory training,” Myers said. “There are so many scammers out there, there’s so much infiltration right now. User education, I think, needs to ramp up.”