Columbia Advisory Group
Spearphishing Defense Tips for Students
Cyber Criminals Conducting Successful Spearphishing Campaigns Against Students at Multiple College and Universities
Tips to share with students
By David Maxwell, Chief Information Security Officer & Director of the Information Security Practice at Columbia Advisory Group
The FBI has identified successful spearphishing campaigns directed at college and university students, especially during periods when financial aid funds are disbursed in large volumes. The Department of Education identified a similar spearphishing campaign targeting multiple Universities. In this attack, the cybercriminals sent spearphishing emails requesting students’ login credentials for the University. The email invited them to view and confirm their updated billing statement by logging into the school’s student portal. After gaining access, cybercriminals changed the students’ direct deposit destinations to bank accounts.
For a phishing attack to work, the bad guys need to trick you into doing something. Fortunately, there are clues that a message is an attack. Here are the most common ones:
- It is becoming much easier for cybercriminals today to find or purchase personal information so expect more personalized scams.
- The email creates a sense of urgency, demanding “immediate action” before something bad happens, like closing your account. The attacker wants to rush you into making a mistake without thinking.
- You receive an email with an attachment that you were not expecting or the email entices you to open the attachment. Examples include an email saying it has an attachment with details of Financial Aid or a letter from the IRS saying you are being prosecuted.
- The email requests highly sensitive information, such as your credit card number or password.
- The email says it comes from an official organization or uses a personal email address like @gmail.com, @yahoo.com or @hotmail.com.
- The link looks odd or not official. One tip is to hover your mouse cursor over the link until a pop-up shows you where that link really takes you. If the link in the email doesn’t match the pop-up destination, don’t click it. On mobile devices, holding down your finger on a link gets the same pop-up.
- You receive a message from someone you know, but the tone or wording just does not sound like him or her. If you are suspicious, call the sender to verify they sent it. It is easy for a cyber attacker to create an email that appears to be from a friend or coworker.
If you believe an email or message is a phishing attack, simply delete it or send it as an attachment to Email@Domain.edu. Ultimately, common sense is your best defense.
Do you need help managing cybersecurity at your educational institution? Contact one of our experts about cybersecurity assessments and fractional ISO services.