When an email arrived in Marilyn Garczynski’s inbox from her boss asking for her cell phone number one September morning, she thought there was a problem demanding her immediate attention.
What was actually happening was a common scam. She was being phished.
Like everyone else at Slippery Rock University (SRU) and around the country, Garczynski, who works as the secretary to the Communication Department, was working in a modified, and at times, remote world due to the coronavirus pandemic. That Thursday morning, when she received the email, she was in her office on the second floor.
Phishing attacks occur when a fraudulent actor sends an email pretending to be someone else in an attempt to gain access to systems or financial data. Those emails can be sent from an address attempting to look legit or from a compromised email address.
The email was just one sentence, “Send me your available text number that I can reach you at.” It was signed by the dean of the College of Business, Lawrence Shao.
The message was short, and all Garczynski, who began working at SRU 16 years ago when she was in her early fifties, noticed at first was her boss asking her a question, and that she best not keep him waiting.
“When the dean emails me, I’m thinking I better respond immediately,” Garczynski said. “He’s my boss, he’s the big one.”
Being in a hurry and appearing to come from a place of authority, like a superior, are the cornerstones to successful phishing expeditions, according to Associate Provost of Information and Administrative Technology Services (IATS) John Ziegler.
Ziegler has spent 32 years in the information technology sector, the last eight with SRU, working to keep bad actors out of university systems, and the immense amount of student and employee data safe. His job requires him to keep secure the credentials of more than 11,000 university accounts, along with over 3,000 computers and mobile devices spread across the campus.
According to Ziegler, while each of those 3,000 devices can be an entry point, now, with employees and students remote and everything on the internet, the number of entry points is almost unlimited.
“We have as many entry points as there are computers in the world,” Ziegler said. “That’s what is interesting about [cyber-attacks], once we hit sru.edu there has to be some protection.”
Attackers not only use digital disguises to trick their targets into giving up credentials or opening a corrupted file. They also cast a wide net in hopes of catching someone having an off day, Ziegler said.
“They are looking for people who don’t have time or [not] paying attention,” Ziegler said. “That’s common for all of us.”
Within minutes of giving the attacker her phone number, Garczynski received a text.
“He said, ‘Are you able to run across the road to pick up something for me,’” Garczynski said.
About 10 minutes after receiving the email and asking what he needed, a lightbulb went off in her head: something wasn’t right. She decided to email the dean’s secretary to verify he’d actually sent the email.
It took over 30 minutes for the dean’s secretary to respond, but, luckily, Garczynski had stopped responding to the text messages.
Scam emails aren’t something new to Garczynski, who said that during her 16 years with SRU she’s seen all kinds of fake emails come through. From fake ink cartridge purchases to attachments carrying viruses and malware encrypting her hard drive and holding it for ransom.
While users like Garczynski may see a phishing email a few times a month, between three to four million emails a day are being intercepted by spam filters run by a third-party vendor, according to Ziegler.
Information security company F5 found phishing attacks in 2020 increased by 15% compared to the previous year. Between May and July of 2020, F5 saw a 220% increase in phishing incidents with its clients alone.
When a user does receive a phishing email in the SRU account, it should be forwarded to the IATS so employees there can block the email address and any links in the email, according to Ziegler.
Looking over the email Garczynski received, two red flags stuck out. First, the subject of the email was just the word “Dean.” In the ‘From:’ line, while the name of Dean of the College of Business appears, the email originated from a Gmail account and used the dean’s name, and the abbreviation SRU in it.
Shao said he doesn’t recall the email from September, but said he does not have a Gmail account with that name. But, around the same time that Garczynski received her phishing email, Shao had received one similar to Garczynski’s, including the email address format and body text from someone claiming to be SRU’s provost.
Shao speculated that attackers were able to get the names and titles from the university’s directory, which is open to view on SRU’s website, to generate convincing emails.
When Ziegler first stepped into his role at SRU, eight years ago, he thought the biggest risk to the university’s data and systems would be a tornado that might damage structures. With that planning, the university began moving as much as possible to off-site facilities and utilizing internet-based cloud storage to keep data safe.
The preparations made for a natural disaster have paid off for SRU for an event where credentials may be stolen and which might provide hackers with access to systems and data, including financial data the university holds related to students’ financial aid information. While preventing access to those systems is important, making sure users don’t give up sensitive information is the first line of defense, according to Ziegler.
Starting late last year, SRU began implementing increased security features with regard to user accounts and email. Now, when users receive an email from outside an SRU address, a large yellow banner notifies the recipient. SRU also began requiring all users to set up multifactor authentication on their accounts, which requires an additional, random code to be entered, along with a password.
While Ziegler said employees do receive training, usually when they first arrive at SRU, Garczynski said she doesn’t recall any, except for an email last year reminding staff to be on the lookout for phishing attacks.
Stephen Larson, an associate professor who teaches courses on information systems and cybersecurity at SRU, said those responsible for securing systems should continuously be training their people because phishing attacks have become the most common form of cyber-attack.
“If you don’t constantly train people, then they are going to forget,” Larson said. “They’re going to click that phishing link again and again.”
Larson, who teaches a practical computer security course as part of the computer science department, said that even students need to be concerned with their credentials and identity being stolen because of the broad impact such an attack can have.
One of the “holy grail” pieces of information attackers look for is Social Security numbers, according to Larson. The line of thinking – that an attacker will steal their identity and their large student loan bill – is common among his students, but ill-conceived.
If hackers get access to a student’s personal and financial information, they should expect their debt to increase, not go away, Larson said.
Along with just paying attention, Larson suggests users learn how to secure their phones and keep their login credentials and other passwords encrypted. Having a long, strong password for all accounts is also important, Larson said.
Garczynski is aware of how naïve she is when it comes to cyber-attacks, but knowing what’s out there and what she’s fallen for in the past. She says she tries to be cautious but as the number of phishing attacks increases and the sophistication of attacks grows, she needs to be more alert, she said.
Garczynski believes that as the world gets through the pandemic, more and more folks will become increasingly cautious not only about their health but their online security.
“Only thing I can say is be aware, be alert and always be on guard,” Garczynski said.