Before adding and sharing your Fraud Alert please check to see if a similar alert has already been posted, thank you:

IT division increases security to counter phishing schemes

Post a Fraud Alert:

After falling victim to a phishing scheme targeted at Texas Tech, Emily Foster was unaware she had shared her eRaider credentials with a malicious hacker. 

This happened in early August, and Foster, a senior economics and political science dual major from New Braunfels, did not realize her account had been compromised until it was disabled by IT services. After it was re-enabled a few days later, Foster said she realized the extent to which her account had been misused.

“I noticed that my email had been used to send like 2,900 emails,” she said. “I was just like, now, everyone knows my name because my email address has my name in it. I was like, ‘I didn’t do it on purpose. I swear.’”

The big picture:

Foster was one of several members in the Tech community who fell prey to the phishing emails that saw a rise in frequency this summer. Sam Segran, chief information officer for IT, said the effectiveness of these schemes could be attributed in large part to the fact that they were customized forms of phishing emails, otherwise known as spear phishing.

Phishing emails are conventional in nature and appear to come from a well-known outside entity, such as Dropbox. A spear phishing scheme, on the other hand, is tailored using social engineering to target a specific institution, according to the Norton anti-virus website. An email that appears to come from IT Help Central is an example of spear phishing. 

Furthermore, implementing a spear phishing scheme demands extensive research and increased technical expertise on the part of hackers, Segran said.

“Spear phishing is very targeted. It’s much more effective,” he said. “Once the hackers put a lot of time and effort into it, they will be successful to a point.”

The costs associated with cybercrime quadrupled from 2013 to 2015, and this cost of data breaches is estimated to reach $2.1 trillion globally by 2019, according to Forbes. 

The first step in any successful spear phishing scheme is compromising a few accounts within an institution, Segran said. In the case of Tech, this would likely have been achieved by sending emails from an email account not associated with Tech but disguised as an official Tech account. 

When the hackers have control of a few Tech accounts, it makes the disguise even more effective. These accounts are, in turn, used to send a large number of emails to other members within the Tech community, he said.

“That’s usually when people tend to fall victim more frequently. So, it actually tends to snowball,” Segran said. “The first time one person falls victim, it makes it easier for the hacker and it makes it harder for us.”

The money game:


Sam Segran serves as the chief information officer for Texas Tech. Segran has spent more than three decades in the information technology field, and he is also a Tech alumnus.

Makenzie Harrison

Ultimately, however, the hackers’ aim is to gain monetary benefits, and this can happen in a number of ways, Segran said. Once the hackers have access to a sizeable number of institutional accounts, they can lease them to other less-skilled hackers. Then, the second set of hackers use these accounts as a marketing tool to circulate their own spam emails. 

Alternately, Segran said, the original set of hackers may choose to exploit the eRaider information for direct deposit or other associated personal accounts.

“And if they get into bank accounts, investment accounts and things like that, they’ve got your money,” he said. “They’re in it for business. Ultimately, there’s a monetary piece.”

However, security controls have been implemented at Tech to prevent hackers from gaining access to such  a large number of accounts, Scott Hall, managing director for IT Help Central, said.

While the majority of the compromised accounts are detected automatically by monitoring of unusual behavior, at times, an individual may realize his account has been compromised and proactively contact IT Help Central, Hall said.

“We have processes to detect that their email account is sending out unsolicited messages, sending out a lot of messages, and it’s not normal. So, we disable their account,” he said. “So, that means that the customer is unable to get into anything, and so is the hacker.”

After the account has been disabled, the security team of the IT division follows a series of steps to ensure the account is secure. Then, the email account is re-enabled. The amount of time it takes to re-enable an account varies, but on average, it takes about two days, Hall said.

Finally, the user is educated on phishing emails and other safe cybersecurity practices. The victims are also asked to check other critical information — such as Outlook email rules, and contact and direct deposit information — to ensure the account is secure, he said. 

“The best thing that all of us, really — I mean, it comes to down to each individual — can do is to make sure that they’re not clicking on malicious links and entering their credentials into a malicious website. That’s what it boils down to,” Hall said. “If those things could be done, it would reduce the number of compromises.” 

The process of re-enabling an account is extensive and robust, he said. This ensures hackers are unable to access any features of an email account once it has been activated.

“Once we recover an account, we haven’t had instances,” Hall said. “Generally, once we recover an account, it’s recovered, unless they give out their credentials again.”


An example of a phishing email, which is an email that is disguised as coming from a legitimate source.

Courtesy of IT division

A multifaceted solution:

Another curious aspect of the phishing attacks during the summer is it corresponded with complete migration of Tech email accounts to Microsoft Office 365. However, it is unclear whether the two are related, Segran said. Moreover, the apparent surge in phishing attacks was not immediately after the migration, which was completed in the spring.

In fact, a leading factor for the increase in phishing attacks might be the summer time itself, Segran said. Previously, hacking activities had been noted to increase during Christmas because the IT personnel at certain institutions may not be available to immediately deal with the situation.

In the same vein, summers attract hackers in light of the assumption that the response from IT might be slower. At Tech, however, that is not the case, he said.

“My security team actually are very good at it now of responding very quickly. It’s a bit intense (staff-wise and resources-wise). It’s tight doing it that way because I had somebody working on it at 10:30 last night because hackers don’t stop,” Segran said. “So, we’ve got staff people on call, who have to respond quickly when these things happen.”

With the introduction of Office 365, the on-premises security solutions that were developed over several years could no longer be used. Instead, the exchange server is now handled by Microsoft, he said.

“So, they weren’t customized totally for Texas Tech. They tend to catch everything at a certain base level for all their customers who are using the (Office 365) service,” Segran said. “And if you want further advanced services, you have to pay extra money.”

As a result, from September, Tech will have an upgraded version of security services from Microsoft. This will be in place for a testing period of one year, when the effectiveness of these controls will be compared with the associated costs to evaluate feasibility, he said.

Although the migration to Office 365 comes at an increased cost, there are several associated benefits, as well.

For one, students, staff and faculty now have access to the complete suite of Microsoft services, such as Word and PowerPoint online. Secondly, the storage space increased vastly, and now, each member of the Tech community has 50 GB of email storage and 1 TB of OneDrive cloud storage.

With the introduction of new technology, one of the primary focuses of the IT division is to make it increasingly difficult for hackers to breach into the Tech system, Segran said.

“If we can make it tough for them, then their interest goes down in constantly having to battle us, and they will probably look for easier targets,” he said. “Their goal is not to play games. Their goal is to compromise accounts and try to get some benefits from it.”

The prevention of phishing schemes at Tech, Segran said, is implemented as a combination of three solutions: implementation of additional security control measures on the server, education for the Tech community, and quicker response from the IT staff upon the detection of a compromised account.  

“So, we’re catching them much earlier, and so, the number of compromises we see have dropped dramatically,” he said. “But, there’s still a few, which is still not acceptable.” 

Simple tips for prevention:

The prevention of phishing emails is a collective effort that starts with each member of the Tech community. Phishing emails have telltale signs, being aware of which can prevent one from becoming a victim.

These emails typically play on human emotions to evoke fear, worry or excitement, according to the Tech cybersecurity website. They include time-sensitive threats, such as, “Your account will be closed if you do not respond immediately.”

The cybersecurity website was launched as an initiative to educate the Tech community on safe cybersecurity practices, so they can be better digital citizens, Segran said. Additionally, the IT division hosts events during the year to disseminate such knowledge as creating safe passwords, preventing identity theft and so on.

People should never disclose their eRaider credentials when requested by an email, Segran said, because Tech does not ask for such information.

“We already have it. Why would we ask you?” he said.

When in doubt, individuals should hover over, but not click, the link in the email. This will display the URL of the webpage the user will be redirected to, and it may help identify if the page is not as was purported in the email, Segran said.

Lastly, if one is not expecting such an email, even if it is from a friend, he should call the friend and check to see if he sent the email, he said.

“I guarantee you most of the time, they’re going to say, ‘Oh, no. I didn’t,’” Segran said, “because generally, that’s not how people communicate. How often do you get a friend sending you stuff and saying, ‘Hey, click on this’?”

Even if a person has clicked on a malicious link without entering his eRaider credentials on the subsequent webpage, he must contact IT Help Central at 806-742-HELP. This is because simply opening a webpage may have infected the device with a malware that extracts sensitive information by monitoring web browsing or keyboard activity, he said.

“The biggest thing is this: They generally ask you to click something and give your information,” Segran said.

Student’s perspective:

As a victim of a phishing scam, Foster felt bad that her email account had been exploited to send around 3,000 phishing emails. It is considerably less distressful to both the person involved and his community when he is informed about safe cybersecurity practices, she said. 

Remaining updated on the best ways to protect personal safety online has become increasingly pertinent in the 21st century, when many people’s lives are pervaded by the use of internet, Foster said.

“Cybersecurity safety wasn’t a thing like when our parents were in college. So, this is all stuff that’s left up to us to figure out. It’s a very new issue, but it’s still very important,” Foster said. “I just hope other students know that they shouldn’t click on emails that aren’t from people they don’t know, at the end of the day.” 

Article source: