Cyber-scammers have started impersonating upper-level staff members of the college with the intent to steal money from students and staff.
While phishing email scams have always been a problem, the attackers have become more strategic. Most recently, Dr. Justin Paul, visiting professor of international business and marketing, received an email from someone impersonating Dr. Timothy Pett, professor and chair of the Department of Business.
The email’s name was Timothy Pett, and its email address was firstname.lastname@example.org. The message asked Paul if he was available and was followed by a detailed signature listing all of Pett’s information, including his office location, telephone number, and various degree qualifications.
All the information seemed real, so Paul responded his availability and provided his cell phone number. The first text Paul received read, “Hi Justin, I’m in a meeting right now, can’t talk but let me know if you get my text. Thanks, Timothy Pett.”
To Paul, it all seemed believable—it was a U.S. number, and because he did not have Pett’s cell number, he was not able to tell it was incorrect.
Once he responded, the number said it needed his help purchasing $700 worth of iTunes gift cards. It ensured a reimbursement and sent all the appropriate links to complete the purchase, pleading urgency because of the meeting he was in.
“It was not just coming from one of my colleagues; it came in the name of my department chair,” said Paul. He tried to purchase all $700 worth of cards at first, but technical difficulties stopped him.
Attackers frequently ask for gift cards because they are easy to re-sell and are more believable than asking for other forms of money, like wire transfers or deposits.
Paul ended up purchasing one $75 card, and once the number continued to text him multiple days after, he realized it was a scam. He reported the issue to Campus Safety and the Winter Park Police Department.
Bill Rodriguez, senior security engineer for the Office of Information and Technology (IT), investigated the incident and found that the number was connected to a program called Bandwidth, a voice-over internet protocol (VoIP) that allows telephone services to operate via computer programs. Scammers can develop unique phone numbers through VoIP programs to protect their identity while appearing convincing through a U.S. area code.
In Paul’s case, the area code showed to be from Denver; however, the IP address of the attacker traced back to Japan.
Phishing schemes have become increasingly common within colleges, where people’s information is publicly displayed online. While it is important from a marketing standpoint for colleges to put the faces of professors and administrators on websites, it also gives a lot of information to potential scammers looking to impersonate people or retrieve emails.
In the month of February alone, there were 28,426 phishing emails detected by Microsoft through known malicious websites, reputation, or machine learning techniques, according to Rodriguez. He said that there were 403 incidents reported by students, faculty, and staff to IT’s phishing email address, email@example.com. Additionally, there were 989 malware threats detected in emails and blocked by Microsoft.
“We have a lot more public information than most businesses would because we are a college,” said Rodriguez. “That gives the attacker more resources they can use to fool people into things like this.”
Scammers build scripts, which is a list of commands executed by a computer program, to scan a company or college’s website and categorize people’s information. Once it figures out the email style a company or college uses, it will run through all popular names. For example, Rollins uses first initial, last name for its emails, so the script may build a list of emails with all first initials and the last name “Smith.”
Then, it sends out mass emails to see who takes the bait. Once one person falls into the trap and scammers get their information, they can access even more emails.
“It’s really simple,” said Julie Sparks, IT’s security operations assistant. “It’s not like they’re spending time looking through Rollins specifically and pulling information and making connections.”
In the case of impersonating administrators, these schemes are more deliberate and strategic. The attackers are specifically looking for people with higher positions, like vice presidents or department chairs, because it is more likely for someone to respond to them.
Scammers have tried impersonating payroll specialists and even Rollins President Grant Cornwell, according to Rodriguez.
“We have seen a lot from the President, and we are working very hard to stop those, especially from him,” he said. He revealed that there have also been issues with attackers trying to change staffers’ direct deposit information.
As attackers become more strategic, IT has instituted many measures to protect the campus. After Paul’s experience, IT removed the campus directory from the college’s website and it can now only be found through FoxLink. IT also has Microsoft Outlook programs that block certain senders or keywords that phishing scams frequently use in emails.
Additionally, the direct deposit forms are no longer online. Now, you have to ask payroll for it, and an employee has to call you and verify your request. Then, you have to hand deliver the form to human resources; you cannot email it.
“We have taken a lot of steps to make sure direct deposit is safe,” said Rodriguez.
IT has also built more educational initiatives. October was “Phishing Awareness Month,” and a large phishing awareness poster still stands next to the IT Help Desk in Olin Library.
As education increases, phishing reports increase, too, said Rodriguez. He said it is important for people to report instances to IT because it helps them institute new protective measures. If you experience any form of online phishing, you can report it to firstname.lastname@example.org.