‘Phishing’ on the rise, don’t be a victim



Sept. 12, 2016

SLIPPERY ROCK, Pa. - On average, it takes only 82 seconds for cyber thieves to lure in the first victim of any given email scam, otherwise known as "phishing," according to a recent report compiled by Verizon.

With the start of the academic year the campus can expect to be the target of numerous "phishing expeditions," according to the University's Office of Information and Administrative Technology Services. Their advice: be cautious.

john zeigler


"The key thing is it's becoming more and more sophisticated," said John Ziegler, associate provost for IATS. "We've gone from people saying, 'I am a hostage in Kenya. Can you do something?' to now having it look as though you've received an official communication from your bank. Thieves are doing very sophisticated things because they know the daily operations of our world; they are able to make a scam look like it's a regular, bonafide email."

Phishing scams are fraudulent emails appearing to come from a person's school, business, Internet service provider, credit card company, friends or even the Internal Revenue Service. Phishing attempts to lure the recipient into verifying personal information and providing financial account information. Unwitting compliance can result in identify theft, theft of money and legal problems.

Schemes aimed at obtaining passwords and Social Security numbers are becoming more elaborate, said Ziegler, especially those using fear to target students' bank accounts, job interests and daily routines.

"The consistent thing about all of these, which hasn't changed, is a reputable business will not ask you for your account name, your password or Social Security number," Ziegler said. "If you don't know the person, don't mess with it."

The Anti-Phishing Working Group said there were more phishing attacks in the first quarter of 2016 than in any three-month span since it began tracking such activity 12 years ago.

The group identified 123,555 unique phishing websites in March 2016, compared to 44,575 in November 2015, according to its Activity Trend Report.

While there are many forms of phishing, two main ones are "spear phishing," which is the targeting of specific individuals and "whaling," which targets executives and other high profile people.

Ziegler said users can identify a counterfeit email, or for that matter phone call or snail mail, if the incoming message asks for any personal information, account names and/or number or makes promises that are too good to be true. A typical one might include the promise of a job offer with a large signing bonus or other get-rich fast scheme.

"Students get job offers that promise a $5,000 check and if they send the person a check for $4,000, they can keep the extra $1,000," Ziegler said.

Some phishing attempts could even appear as though they originated from SRU. For instance, an email may come from "supportteam@sru.edu," asking recipients to provide details about their email account, including username, password and/or date of birth. The motivation for those receiving such an email to comply is that "failure to do this will immediately render your email address deactivated from our database," which would never occur according to Ziegler.

Another common ruse is to send an email that appears to come from the SRU registrar, telling the student that he or she is going to get kicked out of school unless the student pays a certain amount of money to "the University."

"A lot of these efforts are based on scare tactics or a sob story and cry for help," Ziegler said. "Unfortunately, we are a society that falls for many of those things."

While the schemes are becoming more deceptive, Ziegler said Microsoft and Forefront spam filters block 96 percent of phishing attempts to SRU accounts, so most will never reach their intended destinations.

As a habit, Ziegler said students, faculty and staff should not use their University email accounts for any non-SRU related business transactions, monitor personal bank accounts or keep track of online debt and/or loan payments.

Members of the University community should also be suspicious of any email or social media message that asks them to enter or verify personal information, either through a website or by replying to the message itself, Ziegler said. "Never reply or click the links on any such message," he said.

Ziegler added that all users should make it a practice to read email in plain text as phishing messages often contain clickable images that look legitimate. By reading in plain text, users can clearly see the URLs or other non-text-only formatting used in email scams.

SRU will look to educate the University community on phishing and other Internet-related matters via the 2016 Cyber Security Fair from 12:30-3 p.m., Oct. 27, in the Smith Student Center Ballroom. Presenters will provide online safety tips for different aspects of connectivity, including: email, social media, smart phones and passwords.

MEDIA CONTACT: Gordon Ovenshine | 724.738.4854 | gordon.ovenshine@sru.edu