When Alejandra Sanchez opened an email from UCSB last week, she noticed something wasn’t quite right.
“It looked suspicious because it was a blank email with a small link on it from an unfamiliar name,” the fourth-year psychology major said in an email.
Upon seeing a surprising lack of contact information for the university, which is usually found on university notices, Sanchez deleted the email.
Sanchez, along with many UCSB students, received a fake email last week to her umail account from a source claiming to be from the university, warning that her email was restricted and required verification to be accessed. The students were urged to click on a provided link, which would send them to a website where they could type their username and password to retrieve their email account.
Scammers are reaching UCSB email accounts through “phishing,” a multi-billion-dollar underground illegal business in which scammers send forged emails to a pool of email users and wait for users to respond to the message. While Sanchez did not respond to the “phishing” bait, many students did, releasing their usernames and passwords and allowing their accounts to be used in other phishing attempts by scammers.
Earlier this month, a similar email was sent to UCSB staff, and 16 members released their login information to the dangerous site. These unsecure emails are not the first of their kind and pose a variety of threats to email users.
Once scammers have a username and login, they could use it as a gateway to access other accounts or look into students’ academic and personal records.
According to Sam Horowitz, UCSB’s chief information security officer, phishing is “very common and fairly easy to do.”
“There are bad guys in the world,” Horowitz said. “This is kind of the nature of what email and criminal … activity look like today.”
Phishing is common in many countries, including those formerly part of the Eastern Block and some unexpected countries such as Germany and the United States.
“A lot of former Soviet countries are places we see hotbeds of activity,” said Joe McClain, the director of student systems I.T. infrastructure, security & user support of UCSB’s Student Systems and Technology.
“Of course, China is on the list; there’s a lot of stuff happening in China, but there’re also countries you would never expect that would show up on the radar.”
McClain said unsecure emails are becoming more “sophisticated” to look like emails sent from legitimate organizations.
“When spammers go phishing, they are throwing a lure out there to see how many people bite on it,” McClain said. The more refined the email, the more likely people will trust it and release personal information.
Spammers are not only interested in accessing singular email addresses, but look for addresses that are trusted and widely used, like the umail server. The level of this spam only appears to be rising.
McClain said there are “hundreds of thousands” of spam emails sent to the university’s many departments daily.
“It’s getting worse because it works … they can throw a message out there, and people click the link and give out their usernames and passwords,” McClain said. “If people didn’t do it, it wouldn’t be worthwhile.”
The university is always making improvements to the security systems in each department, but McClain notes in some cases it is easier to secure administration and business department emails on campus than academic departments.
“The faculty typically wants things to be wide open, they want to be able to whatever they want to do … and the faculty have tremendous weight on campus,” McClain said. “So there are only so many things we can do to provide controls on systems used on the academic research side.”
Horowitz sent an email to students Friday in response to the phishing attacks with suggestions about how to avoid getting trapped in a phishing attempt, such as being aware of who the email is coming from or what the email looks like.
He also advised students to be “skeptical” of messages that seem “too good to be true, the consequences [are] too dire [or there’s a] sense of urgency.”
Luckily, Sanchez and many other students refrained from giving their login information to the unsecure email sent last week. Horowitz said he hopes that with increased education about the danger of these phishing emails, fewer students and faculty will even consider opening the illicit messages.
“This is an important thing, [and] it needs to be dealt with,” he said. “This stuff happens, and you need to protect yourself.”