Penn State is warning its community about a recent spike in phishing attacks targeting the university’s employees. Attackers are sending emails posing as real Penn State employees and asking recipients if they can borrow money. The victims are instructed to buy gift cards worth hundreds of dollars from popular stores and then send photos of the cards’ codes to the attackers.
The emails purport to come from someone the victim knows personally, so the victim is more likely to trust the sender’s claims that the money will be reimbursed. Rich Sparrow, Penn State’s acting chief information security officer, said the attackers are putting a great deal of effort into making the emails seem legitimate.
“These attacks are highly targeted and personalized to one person or a group of Penn State employees who share a connection,” Sparrow said. “Hackers can spend months monitoring groups in order to collect data to create a convincing message.”
While the recent wave of attacks against Penn State is focused on gift card fraud, universities are also major targets for espionage-related attacks. Students, faculty, and staff are all targets, and they need to be taught how to recognize and thwart social engineering tactics.
“The best way to defend yourself is to be aware,” Sparrow continued. “Verifying that it is indeed a coworker with a phone call if you are suspicious is always your best bet for determining whether a sender is legitimate or not.”
Spear phishing attacks are particularly difficult to detect, and Penn State says people should be on the lookout for suspicious requests, even if they seem to come from someone they trust.
“Be wary of emails that ask you to open a file, click on a link, or enter information into a form,” the alert states. “Be especially careful of emails that ask you to enter your Access Account information. Remember: you wouldn’t give a stranger the keys to your apartment — when you give up your Access Account information, you’re doing the same thing with your digital space.”
New-school security awareness training is an essential component of every organization’s security strategy, and it can help your employees spot the fundamental signs of social engineering.