Go phish: Spam emails fill inboxes
January 27, 2016
When the email’s subject line reads “Dear User” or “Mailbox Storage Limit,” most people with a Tulane University email account know that they are once again the target of a phishing email.
Technology Services acknowledged a recent increase in phishing reports, putting user information at risk and forcing those falling for the scams to reset their email accounts. Holiday breaks and semester beginnings are when these phishing spikes typically occur.
“For the last several semesters, we’ve experienced a big uptick in phishing because we have a new influx of students that come in and they all immediately start giving away their passwords,” Information Security Officer Hunter Ely said. “Over the Christmas break, we reset passwords for three dozen accounts.”
Phishing emails happen when third parties searching for user information send emails posing as website administrators warning about mailbox capacities or as students. An individual’s login information is taken by the scammer if the user is tricked by the fake message into providing it.
This is neither new nor entirely preventable. Technology Services’ Information Security Office, in accordance with university administration, has elected to maintain the existing open network structure, even though it allows phishing emails to come through.
Technology Services believes in ease of access to the network across campus because students and faculty require it for daily use. Tulane publishes an online directory of email addresses as a way to allow university affiliates to search and contact other students or faculty.
“On campus, [students] want unfettered access to the Internet,” Ely said. “They want to be able to play games; they want to be able to get their Netflix. We have to give them a level of service that they expect in an Internet provider, and we have our researchers, our faculty and staff doing the support functions of the business of the university.”
User education against phishing is now supported by Technology Services as the most effective step to prevent manipulation by phishers, but bringing the issue to the attention of students is not always easy because of the complex and demanding aspects of university life. Information security is far from most students’ minds.
“We talk about it quite a bit in the initial emails people get when they start at the university, but it’s hard to be heard when a student is focused on getting their classes ready and buying books and moving in,” Ely said.
Some students are aware of the phishing problem, but making that distinction is challenging when emails are sent under seemingly genuine names.
“In my high school, I never had that issue,” freshman Hannah Sklover said. “In coming to college, I wouldn’t know if [the email] was spam at first. I feel like it’s in the best interest of the university to block those emails.”
Tulane currently uses a product called OpenVMS that allows the Information Security Office to block websites and links attempting to scam users. The technology will block the website from anyone attempting to follow the link on a phishing email.
This does not solve the underlying problem of phishing emails being sent in the first place. For this to happen, services permitted to send emails from Tulane would have to be individually inspected and “whitelisted” by the ISO. The second option is to shorten recipient lists so that compromised accounts cannot send phishing to large amounts of people.
If the change was made, Ely estimates that around half of phishing content would be eliminated. The administration’s philosophy of open communication and ease of access, however, remains the cornerstone of the ISO’s approach.
“There is no foolproof method for eliminating this kind of spam,” said Charlie McMahon, vice president for information technology and CTO of Tulane. “No technology we employ is as good as an educated user.”
Leave a Comment