Calvin Information Technology (CIT) is working on measures to prevent data breaches and raise awareness about safe computing practices. This past summer, Calvin students’ emails were targeted by phishing scammers hoping to obtain private passphrases, social security numbers and other personal information.
Calvin’s influx of phishing emails comes in the wake of Ferris State University’s security breach this past summer. On July 23, an unauthorized person had access to 39,000 records that included social security numbers.
Adam Vedra, CIT’s information security officer, wants students to be aware of these cyber threats and ways to prevent them. In particular, phishing emails are common scams that students and staff at Calvin may receive in their inboxes.
“I would say phishing is probably the most common attack vector against Calvin, and it has really stepped up over the summer,” Vedra said. “[Phishing] is when cyber criminals try to get login credentials so they can get deeper access into systems at Calvin. They’re hoping that somebody that has the kind of access that they want will fall for it. And so what we have seen is, if accounts are compromised, they will try to use that to go a further step.”
Although the ways and methods in which phishing scammers try to bait potential victims vary, there are certain patterns that are characteristic of phishing emails.
“It’s usually a link, [but] it can be just a regular email,” Vedra explained. “All they’re doing is asking for information, so they do phishing in such a way that it seems like a legitimate request from a person of authority. Sometimes they will have a link that will forward you somewhere that has a form saying you need to login, or you need to put in your password and information, and they supply it that way. Sometimes there’s not even a link and they just ask for the information.”
Phishing scammers often use convincing and familiar words and images in order to lure people to click on a link or divulge confidential information, which is why Calvin students should be on the lookout for suspicious emails, Vedra said.
“We had a [phishing scam] over the summer where they forwarded to a page that had Calvin logos and information on it, trying to make it convincing,” Vedra said. “So they keep stepping it up a little bit. They start using familiar language that we use here on campus, and they find that information out just by going to our website.”
Vedra emphasized that the primary thing that students should be aware of is that Calvin will never ask students to reveal passphrases or other private information.
“That’s the number one thing: no one at Calvin will ask you for your password,” he said. “Your passphrase is private information that only you should know, so you shouldn’t be sharing it with anyone, including your friends and parents. And nobody at Calvin should be asking you for that. So that’ll solve 99 percent of the phishing attempts where they’re trying to get your passphrase information.”
When in doubt about an email’s legitimacy, students should contact the Calvin HelpDesk for more information, Vedra said.
“If you have a question in your mind, and you think this seems strange or it’s fishy, always ask. You can always contact the HelpDesk and you can say, ‘I got this email; does this seem right; does this seem legitimate?’ They’re always willing to help you through that. So if it seems fishy just leave it alone and ask for help, ask questions.”
Another basic preventative measure for avoiding phishing scams is to check the source of the email, Vedra said.
“With phishing, if you look at the address bar, it might say Calvin IT HelpDesk, but if you look at the actual address, it’s coming from a Gmail account or a Yahoo! account. So pay attention to the address.”
But despite the hubbub over phishing scams and data breaches, the email system used by students and staff at Calvin is advanced and blocks a lot of emails with scams and spam, Vedra said.
“Students are on the Google mail system, so they have a pretty sophisticated system that blocks a lot more than you can imagine,” Vedra said. “So what [scams] get through is usually written in such a way that it’s not caught by the spam firewalls or those tools that block that. There’s a lot that’s being blocked and protected.”
This upcoming October is Cyber Security Awareness Month. Vedra plans to use that month to campaign and promote safe computing practices to faculty and students.