Since mid-December, more than 60 students’ email accounts have been hacked, resulting in a series of phishing attempts. Emails claiming association with Temple University and such fictional institutions as “Recruitment Team,” “Market Force Information” and “Mystery Shoppers” arrived in inboxes with promises of easy pay—provided that recipients enter sensitive personal information first.
While the messages may have appeared genuine at first glance, many students were quick to notice that something wasn’t quite right.
“I got this email about this job opportunity from someone I know on campus, but I know they aren’t [involved] in any sort of business like that, so it just freaked me out a bit,” said Michelle Lu ’20.
Eric Berube, associate Information Technology (IT) security officer, explained that these account compromises are likely the result of College email users visiting fraudulent websites and entering account information. Asked whether the recent school-wide switch to Office 365 might have affected account security, Berube said that, on the contrary, the new software has allowed for more effective detection of security issues.
“Office 365 has a bunch of tools in it that we didn’t have before, and so in all likelihood we probably had a bunch of students compromised that we didn’t know about in the past. It has really been a huge benefit in that regard,” he said.
One of these tools allows Berube and his coworkers in IT security to detect a phenomenon called the “impossible journey,” or when a user’s account is accessed in two geographically distant locations within a short period of time. A login from Brunswick and shortly thereafter from Beijing is a good indicator of a compromise, because the user could not have traveled that distance in such a small interval.
Berube said that the IT department is moving toward a solution to the problem, but noted that its ability to prevent future phishing events is largely dependent on user awareness of internet security threats.
“Right now we’re still working on how we’re going to remediate these [phishing attempts] in the future, but the reality is there’s only so much we can do,” he said. “[No matter] how many security controls we can put in place, they’re ineffective if somebody asks for a password and they get it.”
“On the heels of that though, the biggest thing that we want to start using is two-step verification, so that even in the event that a student gives away their password, the cyber criminals can’t get in,” Berube added. “If any Bowdoin person gives away their password, the system will notify you … and at that point you can contact us and help you to sort it out.”
Outreach is also an important part of the department’s plan. In the future, Berube hopes to hold talks with students, as well as to reinstate the Bowdoin “phishing derby,” an event held last year in which campus email users were encouraged to identify phishing attempts for points and a subsequent reward for the winner.
“I think that’s the challenge—getting students engaged,” Berube said.