About 2,000 Loyola email accounts have been compromised by fraudulent emails known as “phishing” scams since April 2017, according to James Pardonek, head of Loyola’s information security office.
The malicious emails are designed to resemble official university communications and trick students and staff into entering their Loyola passwords into a non-Loyola website. The language of the emails is often urgent, telling unsuspecting victims to update their passwords immediately or risk having their accounts shut down.
“The first thing [scammers] want to do is create a sense of urgency with that [victim] so that they react without really reading the whole thing” Pardonek said. “Whoever [the victim] is responds to that email thinking it’s authentic and provide their information.”
With a Loyola login in hand, the scammers are able to send more malicious emails from the compromised email account by accessing the account’s address book, sending more emails and fooling more people. They can also try to to use that password with other accounts such as bank accounts or online shopping logins, as 40 percent of internet users use the same password for multiple accounts, according to the Pew Research Center.
Pardonek said about 2,000 students and staff entered their information into one of the numerous malicious websites set up to scam Loyola users.
One of those students was first-year biology major Emily Martsvalova, who said she entered her email and password into a scamming site thinking it was an official university website. She said her Loyola email account has sent more than 300 malicious emails after being compromised.
Martsvalova said her email account sends her frequent notifications saying her account is sending unauthorized messages, but she never sent them. She said she’s changed her password several times and the problem hasn’t improved.
“I talked to Loyola about it and they’re like ‘here, just reset it,’” Martsvalova said. “I did that twice but it still keeps happening.”
Aaylla Jaffery, an undecided first-year Loyola student said her university email account has also been affected by the recurrant phishing emails. But before she could enter her email and password into the form, Jaffery said the page, masquerading as an official Loyola site, was taken down.
“I clicked on it once, and it got me to another website that said ‘not found,’” Jaffery said.
Pardonek said there isn’t much Loyola can do about the emails except have the malicious pages taken down once they’re discovered. He said he thinks it could be fixed by setting up added security measures, called two-factor authentication, which requires a user to verify their identity two ways before being allowed to use an account.
“It’s just like when you go to an ATM, that’s two-factor authentication,” Pardonek said. “You need to know your PIN and you need to have your card.”
The problem, Pardonek said, is that setting up such a system is expensive. It would require money up front to install and more money to pay for the labor to install and maintain it. Instead, Pardonek said the best way to prevent these sorts of scams is to teach people how to tell when an email is malicious or not.
Loyola’s email accounts have been plagued by these issues for over a year. Last fall, Loyola’s Information Technology Services sent an email to students and staff to bring attention to the problem. While Pardonek said raising awareness is the best way to prevent the phishing scams from recurring, he said there isn’t currently a plan to inform all students and staff of the problem.