A wave of email scams that steal users’ personal information has been targeting student and faculty email accounts.
The fake emails, known as “phishing” scams, are designed to resemble official Loyola University messages and try to trick victims into entering usernames and passwords into a fake website, according to Information Security Officer James Pardonek, who heads Loyola’s information security office.
The language of the scams often parallels commonly received emails like information technology department alerts and shipping notifications, and the sites they direct students to are often hosted on inexpensive or free domains but use Loyola logos and language to disguise their true intent.
Once a student enters his or her login information into the fake site, hackers are able to spread more fraudulent emails to new victims, access university systems like LOCUS and Sakai and even steal financial information, Pardonek said.
“Most people are trusting, and the hackers rely on that trust to raise your sense of urgency — your email account will be disabled, for example,” Pardonek said. “[They] get you to click on the link and fill out a really convincing looking form. After that, it’s all over and you are compromised.”
Pardonek said more than 1,000 accounts have received at least one scam email, though it is unclear how many students entered information into the sites.
“I remember the first [email] was saying my account has been locked and I need to click this link to unlock it,” said school counseling graduate student Kate Ford, 24. “I was like, ‘This seems super fishy.’ It just didn’t seem right at all … I never clicked any of the links because I was like, ‘no, I don’t believe this at all,’ but I’m guessing they asked for your password.”
Some phishing emails try to deceive victims by using the names of current or former Loyola students. Sophomore Kaylie Plauche received a fake email sent under the name of a former Loyola student, but wasn’t fooled by the scam.
“I got this email asking me to change my password and I figured it was a phishing thing so I actually looked her up and she was a student at Loyola,” said Plauche, 20, an anthropology and ad/PR double major. “I found her LinkedIn [account], but I was like, ‘That’s sketchy,’ so I didn’t click [the link].”
Hackers are able to do this by accessing the address book of compromised accounts and sending fake emails to the Loyola-affiliated accounts in the victim’s contacts, spreading the nefarious links to more and more people, according to Pardonek.
“If an urgent request comes unexpectedly, like a package for you that you didn’t order or an issue with your email account, you should be very suspicious,” Pardonek said. “If you get a request from a friend that you are suspicious of, call or text them and ask them about it first.”
Students are encouraged to forward such emails to Loyola’s Information Technology Services (ITS) help desk and should never enter their account information into a site from an email, according to Pardonek. He said Loyola will never ask for account information via email.
If students do inadvertently give away their account information, they should immediately change their passwords and contact ITS right away, Pardonek said.
“That’s how they get you, they use someone else’s email,” said sophomore creative advertising major Sam Hudock. “It seemed like something Loyola wouldn’t do, so I forwarded it to the help desk and they [said], ‘That was the right thing to do because that was a phishing email.’”
Since the spring semester ended in early May, the number of phishing emails spiked, although Loyola accounts normally receive some phishing emails throughout the year. Although it is unclear what prompted the jump in fake emails, it’s often more difficult to help students who use their computers away from Loyola’s Wi-Fi networks, which use electronic blocking controls to disable access to malicious sites, Pardonek said.
When ITS receives a report of a phishing email, they immediately block access to the malicious site from all devices on Loyola’s networks. ITS has sent multiple emails warning students of the scams and makes an abuse report on its website every time someone reports a new version of the email.
Pardonek said he did not know who is behind the emails and that the problem is unlikely to go away as long as people keep responding to them.