College students are favorite targets for phishing scams. Maybe it’s because they’ll be responsible for their own finances for the first time and don’t have a lot of experience. Maybe it’s because students need to fill out a lot of forms, so one more doesn’t seem very suspicious. Maybe it’s because they’re nervous about their career prospects and how they’ll pay off their loans.
Whatever it is, a lot of students respond to deceptive email by handing over personal information or sending money to disappearing bank accounts. They can end up losing thousands of dollars. Students need to be wary of email that asks them for personal information. When in doubt, they shouldn’t respond to such messages, but should confirm the request through another channel. If the mail links to a supposedly official school website, logging in with a bookmark is safer.
Educational institutions keep a lot of information on their students. In some cases, letting it into the wrong hands could endanger them. Activities which are accepted or tolerated on campus could land foreign students in serious trouble back home. Acquiring information on them can open the way to blackmail.
The start and end of each semester are times when phishing activity increases. The IT staff is especially busy then, students are getting oriented or are under pressure, and the chances of getting careless are higher.
Even careful people can be fooled some of the time. Students — for that matter, all users — should consider using the virtual private network, and if you don’t know what a VPN is, you are falling behind.
Impersonating school offices
The audacity of the scams may be what makes them persuasive. Who would dare to impersonate the office of the university president? But Loyola students got mail doing exactly that, twice within the past two years. The more recent one urged students to download a file that contained malware and redirect them to a page impersonating one belonging to the university.
The page asked them to enter their student identifier and password. After that, it redirected them to a legitimate university page, but it had collected the login information. Criminals gained access to information that could help them in identity theft.
Students at the University of Wisconsin at Madison experienced a different impersonation scam in 2018, with messages claiming to be from teaching assistants or school officials. The message urged students to download a document which supposedly dealt with end-of-semester situations such as grades. Another set of messages to UW Madison students impersonated the Chancellor and attached a document about a supposed “Business Integrity Program.” Very ironic.
The university’s IT department encourages students to forward suspected phishing mail to a reporting address. It uses the information to set up mail filters that will block similar messages in the future.
Many people believe phishing messages are easy to recognize by their bad grammar and spelling. This may once have been true, but the people behind the scams now use more sophisticated methods, and their messages are often very convincing impersonations. It takes no great effort to forge an email address. Only a close study of the email headers or the URL asking for personal information will reveal the trick.
Other tricks and deceptions
With the usual phishing scam, the user has to follow a link to a fake site and then enter a password or other personal information. In some cases, though, the link leads to a page which directly infects the computer, even if the victim does nothing else. This trick typically depends on the user’s having an old browser with known weaknesses. Students should keep their browsers updated to reduce the chance of that happening.
A student at UCSB reported receiving a supposed “important message” from the university. She followed the link but got only a blank page. She tried it on both her desktop and phone, with the same apparent lack of results.
Later on, she discovered that her email account had been hijacked and was spamming other students. The message was poorly written and “felt like Google Translate,” but some people responded anyway. The university’s IT department was able to secure her account, but only after she had received a lot of unwanted mail.
Kinds of bait
Every phishing message needs some kind of bait to get victims to open an attachment or click a link. The possibilities are open- ended, but these are some of the common ones:
● Job offers
● Offers of help with student loans
● Scholarship offers
● Credit card offers
● Demands for tuition or fee payments
● Official school communications requiring a response
● Information about grades
All of these scams play on students’ hopes and anxieties. They’re concerned about keeping their good standing, getting through without going broke, and satisfying an often confusing set of requirements. People who are worried are easier to fool.
Protective measures by the schools
Educational institutions employ spam filtering in their incoming mail servers. They don’t catch everything, though. Many of them employ authentication methods, such as DKIM, SPF, and DMARC, to help distinguish authentic messages from ones with forged addresses.
Some colleges and universities have sent out test phishing messages to students. In a test at Ohio State, clicking the link in the message brought them to a page set up by the IT risk management staff to warn them of the dangers of forged email. The goal was to educate students and to find out how many would be fooled. About 19% of the messages got the recipients to click on the link.
Precautions for students
Students can make themselves safe from phishing scams by forming good security habits. They include:
● Stopping to think about any message that requires login credentials or confidential information.
● Looking carefully at the URL of any page that makes such requirements.
● Using a bookmark rather than an email link to access official sites.
● Recognizing that offers which seem “too good to be true” usually are.
● Not being panicked by urgent demands and threats.
● Using two-factor authentication for important accounts, if it’s available.
Phishing scams rely on people being rushed and careless. Treating important-looking messages with the caution they deserve will defeat the scammers almost every time.