Don’t Go Phishing

Comic by, courtesy of Wikimedia Commons

Comic by, courtesy of Wikimedia Commons

For about two weeks, both students and faculty at Calvin have been on the receiving end of a cyber attack called phishing. According to Adam Vedra, the associate director of IT and security for Calvin Information Technology (CIT), this attack is primarily crafted to access the account credentials of a particular individual or for monitor purposes, though the root cause, as well as the party involved in this particular attack, remains anonymous.

CIT has been working relentlessly to solve this problem. As stated by Vedra, the department has three working solutions to offset the problem: a Multifactor Authentication implementation, a new kind of technology and an awareness training program.

The first solution would be to implement a Multifactor Authentication key approach. The Multifactor Authentication implementation is designed to aid detection of any phishing email before it circulates to the other recipients.

“Every email that comes in from senders outside the Calvin community passes through the email security gateway that contains a high level of AI,” said Vedra. He added that sometimes despite the intense security measures used, some emails bypass such security protocols. Once one person clicks on the phished email, their password and username are given out to the sender. Thus, once the sender gets this information, they easily gain full access to Calvin’s Office 365 system, which enables them to send out more phishing emails to other faculty or students.

Vedra asserted that implementing the Multifactor Authentication, which will involve downloading a mobile application, will help both students and faculty to receive an alert when an unauthorized user signs into their account using their password. With the Multifactor Authentication implementation, users would have to use their password as well as their personal mobile devices to verify their identity. Thus, once a user types in their password, they would have to verify on their mobile device that they are actually responsible for currently signing into the system. Their password would then serve as the first key for access into any Office 365 feature such as their email or OneDrive. Included in this app is a feature that the user could opt for which will require him or her to weekly authenticate his or her identity using the same implementation.  

The second approach to solving this problem involves using a new technology which is in its initial stages.

Third, Vedra also emphasized raising awareness and training among students. He affirmed that students should first use another medium of communication such as text messaging to verify the sender’s intention if they personally know the individual. If that isn’t the case, he advised that students should not be hastened in clicking links sent out to them without first verifying the source. However, Vedra advised that if students did not feel comfortable about the above approaches, they should not hesitate to hand over the issue to CIT, who would be glad to handle the problem.