The act of phishing has been reported campus-wide with more than one victim at Eastern Michigan University.
Phishing is a con in which the “phisherman” emails a threat of some sort unless the victim takes some action, like responding to the email. One response and they will get username credentials to send more emails, access banking information or even steal the victim’s identity. Sometimes the information is then sold.
“This has been going on I’d say well over a dozen years,” Carl R. Powell, EMU’s chief information officer, said. “Every year we tend to see a bigger increase on campuses in the fall. There is also a term called ‘spear phishing’ which is what we’re encountering more here.”
Spear phishing targets a specific group. In EMU’s case, that would be the students, faculty and staff.
“EMU isn’t unique to this situation by any means,” Student Body President Desmond Miller said. “Other universities are unfortunately having the problem of spam messages as well.”
Miller and Powell pointed out that 80 percent of spam messages are being detected and stopped by the university. According to an EMU document, Reputation Filtering stopped 73.2 percent of messages.
“Close to 90 percent of Eastern’s emails is spam of viruses that never gets to anybody,” Powell said.
“It’s trash that we kill off and electronically shred.”
“I’d say on average we have what we call a ‘hijacked email account’ a day,” Powell said, concerning how effective EMU’s security is.
He said that on top of having over 25,000 students and 2,000 faculties, EMU also has to look at alumni.
“We’ve got fifty thousand email accounts, so we have at least one of them hijacked a day,” Powell said. “We tend to see it [phishing] throughout the year, probably a bigger influx around fall and around Christmas.”
EMU runs its own internal phishing network program called phishme.com. This website phishes faculty and staff as a stress test on the system and to educate staff and students who do fall for the scam.
Powell said impromptu training is used by schools nationwide to get people to be cautious of emails they open.
“It’s an education process.” Powell said. “We’re not collecting their user IDs, we already have access to the accounts we have access to. We’re not asking for their banking information. If I asked for their banking PIN, the Feds might have a problem with me, but we’re asking for their EMU used IDs and passwords. We have access to those accounts. We manage it.”
“One of the easiest [signs] is misspellings,” Powell said about how spam messages get through and the signs that point to phishing. “The way that the anti-spam filters work is that they tend to read the entire spam and give it a numerical number based on all the words and numbers used in there.
But if I just change one word, change an A to an E, I now come up with a different mathematical representation for it, which will bypass the spam filter. Look to see if there’s misspellings in there.
No professional organization would send an email with misspellings.”
Powell said that if the email is threatening, assume it is spam because no reputable organization would send a threat like that via email. It is a scare tactic and nothing more.
If the email claims to be from a friend or a personal bank, make sure that the email is expected. Otherwise, people are told to be cautious.
Miller said that there would be a meeting in the next couple of weeks to discuss plans to deal with such scams. This includes a program specifically for freshmen to educate them on how to stay safe.
Powell said if it is a phishing attempt, just delete it.
For more information on this, contact Desmond Miller or the Eastern Michigan University IT department. If you have been a victim of phishing, contact the EMU help desk.
