Hackers are taking the time to get to know smaller colleges.
IT departments at smaller institutions are reporting that they are spending increasing amounts of time protecting against the kind of sophisticated, personalized attacks that once plagued mostly large research universities.
Gone are the days of typo-ridden emails with questionable grammar addressed to “Dear Sir.” In their place are emails seemingly from legitimate senders — administrators and local businesses among them — that seek to gain access to financial and personal information. The fraudulent emails often asks recipients to double-check a payment, forward copies of tax paperwork or initiate a wire transfer.
“You can’t just hide behind your small size,” said Nathan Phillips, chief information officer at Marylhurst University, a private liberal arts university just outside Portland, Ore. “What seems to have changed in the last year or two is that the attacks seem to be more directed. People are clearly doing research on who they’re targeting.”
Phillips shared the example seen above. The email was sent by a hacker who had gained access to an account owned by someone working at a company in the area, he said. At first glance, the message appears harmless — the sender’s address is legitimate, and the recipient would normally handle questions about invoices.
Clicking on the link, however, would likely install malware on the recipient’s computer that could turn it into a launchpad for more phishing emails or lock it down and demand a ransom. (Thankfully, Phillips said, the college did not have to find out.)
The personalized phishing emails are an example of the ever-changing threat landscape colleges and other organizations face. Some institutions are also reporting attacks specifically targeting students, where hackers will impersonate administrators, staffers and potential employers to gain access to students’ accounts.
Stu Sjouwerman, CEO of the cybersecurity firm KnowBe4, said phishing attacks are particularly common in the lead-up to the April 18 tax filing deadline. He recommended colleges maintain extensive backups of their systems, update those systems “religiously” and do simulated phishing tests to keep people on campus mindful of cyberthreats.
Gary O. Roberts, chief information officer at Alfred University, said he has seen a sharp increase in phishing attacks since October. In one recent example, a member of the university’s executive team received an email — purportedly from the university president — urging her to initiate a payment. Other phishing attempts closely resemble official university email communication, down to the institution’s color scheme and logo.
“They’re drilling down, data-mining names,” Roberts said. “They’re looking at branding, messaging and how we interact with each other. We’ve never seen scams get that sophisticated before.”
The private university, located two hours outside of Rochester, N.Y., has about 2,000 total students.
Roberts said college IT departments are “on edge” about phishing attacks, especially in light of the role a phishing email played in the Democratic National Committee hack last year. Educating administrators, faculty members and staffers about how to identify phishing attacks has helped cut down on cases, he said, but it has also created a sense of paranoia. A growing number of suspicious-looking emails forwarded to his department for verification are actually legitimate messages, he said.
Roberts said he is concerned about the impact having to check and double-check emails is having on the administration’s productivity. “I don’t want to put that much of a wrinkle in the workflow of our executive team,” he said.
Phishing is also having an effect on the IT department’s finances, Roberts said. As the attacks become more sophisticated, the college is forced to invest in new security measures to keep up.
Generally speaking, IT departments are still feeling repercussions from the financial crisis. Many departments have yet to see their budgets recover.
“It’s hard for me to put a dollar amount on it, other than to say it’s quite frankly becoming a top concern,” Roberts said. “I’m doing less and less of moving the institution forward and doing more and more risk mitigation.”
Some college IT staffers are exploring other means of communication to decrease the risk that their systems will be breached.
Chris Blackstone, chief information officer at Spring Arbor University in Michigan, said the university has begun moving some of its internal communications to private chat services.
“Email is generally a terrible communication and collaboration tool,” Blackstone said in an interview. “There is a place for private chat at [colleges], because literally the only people who can get into that system are people who have accounts created for them.”