Students from Plattsburgh State and SUNY Adirondack were targeted by several types of scams over the summer, causing Plattsburgh State officials to send out warnings to the student body. Numerous Plattsburgh State students received phishing emails, while SUNY Adirondack students were targeted by phone scammers asking for personal information.
Plattsburgh State’s Information Security Analyst and Information Security Chair Symen Mulders and Assistant Chief Information Officer John Bradley stated that most of the emails were generic phishing scams, but there was one spear phishing attempt aimed at specific students. The spear phishing attempt involved a hacked email account that was used to ask students for assistance in purchasing an iTunes gift card.
Plattsburgh State’s Information Security Officer Holly Heller-Ross said the school is currently instituting multi-factor authentication for faculty and staff through Duo Security, with about 300 staff members already using the service. Heller-Ross hopes in the future to extend the features to the student body, as soon as the budget allows.
Until then, students will have to rely on standard security practices such as using strong passwords and being wary of suspicious emails. “Phones and email remove distance,” Symen Mulders says. “Whenever you get a phone call or read an email, you should have the mindset that you’re in an unfamiliar neighborhood at 3 a.m. Be suspicious.”
Colleges around the world are attractive targets for attackers. Their easily-accessible networks and infrastructure provide a large attack surface, and students are often poorly trained and susceptible to social engineering. Universities can certainly benefit from new-school, interactive awareness training to build a culture of security among students and faculty.
Where to deliver that training is an interesting question. A dedicated, required course is probably out of the question. But it could be offered as part of new student orientation. Periodically through the course of the year, in the way campus safety issues are commonly addressed?
As a small module in a security-across-the-curriculum program, integrated into any course that uses online resources, which will effectively be all of them? And who at a university should be responsible for delivering the training? An academic department? Or would student services be a better choice?
Could the training itself be gamified in an interesting way? College students are a notoriously tough crowd, but there are people with experience designing security awareness training tailored for even the hardest-to-reach audiences.
Cardinal Points has the story: http://cardinalpointsonline.com/phishing-scams-hit-campus-emails/
