Imagine receiving an email from techservices@elon.edu. The email, complete with the new Elon University logo in the header, says you won’t be able to access your transcript on OnTrack anymore unless you register your OnTrack login and password with Technology Services at the link below.
Would you think twice before clicking on it?
According to Chris Waters, assistant vice president for technology and Chief Information Officer, you should think twice — or else you could become a victim of the latest of many phishing scams that plague Elon University email users every semester.
“They happen so often, we’d be sending out emails every day [if we notified users of every attack],” Waters said.
Gone phishing
Phishing emails, which many students might know better as spam emails, are emails sent by attackers that usually ask a target to click a link or enter credentials. Phishing emails are a common form of social engineering, a human-based form of hacking.
“At its simplest form, social engineering is just tricking someone into doing something that they otherwise wouldn’t normally do,” said Information Security Director Keith Schoenefeld.
While many email users might consider phishing emails just annoying, Schoenefeld said these emails pose a more serious threat than they seem to — especially if the addressee clicks the link in the email.
“Either they infect your system, at which point they could install a keylogger and log all of your keystrokes and steal your usernames and passwords,” he said. “Or, most often, what phishing attacks are doing is convincing you to go to a website that looks like an Elon website and type in your username and password.”
Once an attacker has access to either a computer or a user’s credentials, it’s impossible to know what might happen next. Attackers can discover sensitive information or even money by accessing sites like OnTrack, online banking accounts and email archives.
Schoenefeld, though, said the most common target of an attacker is an email user’s address book.
“If they have your email credentials or your university credentials, they’re generally just trying to steal access to an email account that they can send more phishing messages from,” Schoenefeld said.
Email users are getting better at recognizing phishing emails. They’re used to deleting Viagra coupons and Nigerian prince money transfer requests. But attackers are getting smarter, too, and Schoenefeld said attackers have found ways to target Elon users specifically.
“It’s all about tricking the user, right?” Schoenefeld said. “The more realistic you can make it, if you can put that Elon banner at the top or put those Elon images at the top, people are more likely to fall for it.”
Images are just one piece of the puzzle. According to Schoenefeld, attackers can easily spoof an Elon address — that is, change their own email to look like elon.edu address. But if an Elon user enters his or her email credentials through a phishing email, the attacker doesn’t have to spoof the email.
“The address that it comes from oftentimes you can fake, though it does help if you get one person on campus to give up their credentials, and then you can send an email to the rest of campus from an Elon address,” he said. “We’ve seen those being more successful.”
An email may look like it comes from an Elon email address, but that doesn’t mean it came from the person who owns the account.
Staying alert
Though Schoenefeld said keeping email addresses secret is “almost impossible,” Technology Services and Information Security have systems in place to try to keep Elon email accounts safe from a technological standpoint.
Though faculty email addresses are available for any Internet user to search on the public faculty and staff directory, the student email directory is hidden behind an authentication wall. Users must prove their affiliation with Elon by inputting their username and password to access the directory, and even then, student information is only available through a search feature — unlike the faculty and staff directory, which can be searched by department without looking for a specific name.
The university also employs vendors with a history of filtering unwanted messages before they reach Elon email users, such as Google and Microsoft.
“Honestly, Google and Outlook do a pretty good job of catching a lot of [phishing emails],” Schoenefeld said.
Though if an attacker has already compromised the address book of an Elon email user and is using that account to send more phishing emails, vendors might not know to filter out the sender’s @elon.edu email address.
In that case, when the email lands in the user’s inbox, it’s up to the user to recognize the message as a phishing scam.
According to Waters, though Technology Services is always monitoring for suspicious activity that gets through spam filters, the university relies on targeted individuals to help identify attacks.
“A lot of it becomes human interaction, less about what a system can do,” he said.
Waters said the key to making sure Elon email users can recognize a phishing email is awareness. A few years ago, the university sent out emails through Vice President for Student Life and Dean of Students Smith Jackson whenever a phishing campaign was reported.
Now, Waters said, he feels the Elon population has reached a level of awareness that makes sending out emails for every reported phishing campaign redundant.
“For a while, we sent out emails almost every single time,” he said. “But what we feel like we’ve done now is we’ve raised awareness.”
Email is still the way to get the message out, though, if a more significant problem emerges.
“If we saw something that was like, ‘Log in here to check your grades,’ and everybody’s doing it, we better get it out there,” he said.
Schoenefeld said even without an email from the university, Elon email users can easily learn to recognize suspicious emails. His advice for recognizing phishing emails is simple: Slow down.
“Most of the time, they’re telling you to provide credentials or you’ll lose access to something or your password’s going to expire or you will no longer have an account,” he said. “Just slow down. Elon isn’t going to take your access away.”
According to Schoenefeld, the university will never threaten over email to take away access to which something students, faculty or staff need access. Waters agreed and added that the university will never email to ask for information it shouldn’t need.
“Elon doesn’t need your password,” he said. “We don’t need it to do what we do. So never, ever, give away your password.”
Thinking about what the email is asking should be the first sign that an email is not legitimate, though there are others.
“Grammar is still important,” Schoenefeld said. “And just because there’s an Elon picture there doesn’t mean it’s from Elon.”
If an Elon email user isn’t sure whether an email came from a legitimate source at Elon, the answer is a phone call away. Schoenefeld recommends calling the Elon Service Desk, available at 336-278-5200 during normal working hours, or emailing security@elon.edu at any time to report suspicious activity.
“What’s best to do is report it, and we can do some things to stop it from getting in,” Waters said. He added, “In a lot of ways, people can help us by, if you get one, you know it’s spam, block that sender. And then that stops that sort of water from the dam from happening.”