Phishing scams increase at The College of Wooster

Tristan Lopus

Chief Copy Editor

As an institution that exists in the 21st century and uses email, The College of Wooster continues to deal with the ubiquitous threat of phishing scams. With the prevalence of these sorts of scams at the school, it’s imperative to understand the threat the members of the College are dealing with.

Phishing is a type of scam whereby a malicious actor attempts to gain unauthorized access to a secure account by deceptively obtaining the account’s credentials from its rightful owner. The most common form of phishing, and that which most affects the College, is email phishing. This involves sending unsolicited emails to account owners wherein the sender poses as a legitimate web service and directs the user to enter their credentials at a hyperlinked site. It visually and functionally mimics the legitimate site but is in fact a malicious site designed to harvest any credentials submitted to it.

For example, an attacker could send an email pretending to be Microsoft Account Services with the instruction “click here to reset your password now.” However, whereas in a legitimate email with such an instruction clicking on “here” would take the user to “account.live.com,” in this example, it takes the user to “as23fdlskj293d3adlf.com,” a site designed to mimic account.live.com. When the user inputs their login credentials into as23fdlskj293d3adlf.com, they are sent not to Microsoft but to the hacker, who can then use them to log into the user’s Microsoft account.

The ultimate goal of almost all phishing is monetary gain. This begs the question, “How can monetary gain be made by covertly accessing a person’s Wooster online account?” In an interview with the Voice, Director of Technology Services Vince DiScipio explained that when phishers phish College email accounts, they are typically not interested in accessing College accounts as an end but as a means to accessing people’s other online accounts. Many people use the same email and password for all or many of their online accounts, so having the credentials for a person’s Wooster account could mean having access to their online banking accounts, or their Google, Apple, Facebook and other accounts, all of which might have credit card or other financial information saved in them.

Access to Wooster email accounts can also provide phishers capabilities that allow them to phish more effectively. One of the tell-tale signs of phishing is when the “From” name of the sender does not match the email address from which the email came; for example, the “From” field of a phishing email might say “Google Account Services” but the “From” email address field of the message might say “al209sfl20d0sfs0@2ad09an2309s908.net.” This is because a phisher can manually edit the “From” field, but not the email field. However, if a phisher has direct access to a Wooster user’s email account, they can send the email from that user’s email address, which may make the email seem more credible.

DiScipio also explained that the phishing attacks that affect the College are broadly targeted and highly automated. By writing web crawlers and browser automation scripts, phishers are able to download Wooster email addresses, alongside addresses from hundreds or thousands of other institutions, and automatically send phishing emails to them all. Even the recent phishing scam specifically impersonating President Bolton, DiScipio said, probably began with an automation script that searched the web for “college presidents.”

The high degree of automation of these phishing scams make it easier for phishers to send high volumes of phishing emails. DiScipio said that, prior to 2012, when the College managed its own email servers, its mail filters blocked close to 90 percent of incoming email traffic. Since the College has now switched to an Exchange server managed by Microsoft, DiScipio does not know how much traffic is blocked from the servers, but he speculates that the proportion of traffic that is blocked has only increased since 2012.

One major advantage of having the College’s email hosted on Microsoft-managed servers is that Microsoft has highly advanced filtering algorithms that draw on data collected from all servers hosted by Microsoft. This means that when an email sent to one Microsoft-managed server is marked as spam, the same message will be blocked from all other servers hosted by Microsoft. So if, for example, a school district in New Mexico reports an email as phishing, that sender’s emails will be treated with greater suspicion and potentially blocked when sent to Wooster email addresses and addresses of accounts hosted on any Microsoft-managed server).

Despite these sophisticated efforts to block phishing emails from ever reaching Wooster inboxes, DiScipio said that receiving phishing emails is nonetheless a reality of life in the digital age. What is more even more important than preventing these emails from reaching inboxes, then, is mitigating the damage that can be done when they are received.

To that end, DiScipio said he and the I.T. department are planning one or more workshops to educate the Wooster community on how to identify phishing emails, even when they do not exhibit all the typical signs of a phishing email.

Additionally, DiScipio mentioned that two-factor authentication is currently being piloted among the I.T. and human resources departments, and could be deployed to the entire Wooster community in the coming years. With two-factor authentication enabled, a phisher would not be able to access Wooster accounts even if they had their usernames and passwords. While this would be unlikely to discourage phishing emails from being sent in the first place (since they are sent through such a highly automated process), it would diminish the damage that could be done when a user’s credentials are exposed.