Plattsburgh State students were targets of an array of phishing scams and a SUNY-wide phone scam over the summer break, prompting PSUC officials to send warning notices and bring cybersecurity to the students’ attention.
No students have reported that they have fallen victim to any of the scams since the email notifications were sent out, though some recipients were suspicious and attempted to get more information.
PSUC Information Security Analyst and Information Security Chair Symen Mulders and Assistant Chief Information Officer John Bradley said that most of the phishing attempts were just general “shotgun approach” scams with the exception of one spearhead phish that occurred in June requesting assistance in purchasing an iTunes gift card.
The spearhead phish was sent through a compromised email account specifically tailored to the students it was aimed at.
SUNY Adirondack was targeted by phone scammers trying to call students asking for personal information. Although there were no reports of the phone scam reaching Plattsburgh State, emails were sent out to warn the students as a precaution.
Dean of Library and Information Technology Services (LITS) and Information Security Officer Holly Heller-Ross said that whenever another SUNY school sends out an alert, PSUC is potentially at risk as well.
“We try to proactively get the word out for people so that hopefully no one on our campus will actually fall prey to the scammers.” Heller-Ross said.
Mulders had a spear-phishing experience of his own a few years ago when he received a scam email pretending to be his father requesting money. Mulders’ father traveled to Europe and had posted many Facebook statuses leading up to and during the trip.
While his father was overseas, Mulders received an email supposedly from his father telling him to wire money because he was in trouble. Mulders contacted his father to find that his father was perfectly fine, and the email was a “pretty clever” trick.
“[Scammers] look at people’s social media to find things like that they can exploit in some way,” Mulders said.
Bradley said that there are many mechanisms set into place to filter through all the emails that the college receives and to search for known schemes, and even though he believes the ratio is pretty good currently, the odd scam can slip through.
“The balance is always trying to filter too tight so you get the legit stuff and not tight enough so this stuff gets through,” Bradley said. “It’s a balancing act.”
PSUC is working to increase security measures by instituting multi-factor authentication for logins for faculty and staff that may eventually reach the student body.
The multi-factor authentication process, through Duo Security, requires the user to confirm or deny their identity after the initial login with numerous verification options. These options include: phone calls, SMS codes, HOTP and TOTP codes (time-based one-time passwords), security tokens (portable USB drives) and the Duo Push feature through the Duo Security mobile app.
Heller-Ross demonstrated the Duo Push verification when logging into her MyPlattsburgh account. After the initial login attempt and selecting the Duo Push option, Heller-Ross received a nearly instantaneous notification on her cell phone requesting her to confirm the log-in attempt.
Upon denying the request access is denied, but the user isn’t blocked from attempting to log in again for a few more times. When the request is accepted, the user is then logged in.
Although there is the limitation of needing to have a phone or token to sign in. LITS believes it is the next step to take for that extra layer of security. Around 300 faculty members are currently using these services, and LITS hopes to one day extend these services to students when the budget allows it to do so.
Heller-Ross, Mulders and Bradley emphasize the importance of protecting confidential information and making use of campus resources in the case of emergency.
“Phones and email remove distance,” Mulders said. “Whenever you get a phone call or read an email, you should have the mindset that you’re in an unfamiliar neighbourhood at 3 a.m. Be suspicious.”
Email Windsor Burkland at email@example.com