Increased phishing and other security incidents over the past year have caused Loyola officials to consider taking more extreme measures to protect private information.
Loyola Information Security Officer James Pardonek said the department is considering new safeguards and implementing initiatives to raise student awareness as the school year begins.
In total, an estimated 3,000 email accounts were compromised during the 2017-18 school year, Pardonek said.
The fraudulent emails are often masked as university officials requesting personal information and attempting to infect the user’s computer with damaging malware.
The university is considering adopting a multi-factor authentication system to increase students’ online security, according to Pardonek.
Multi-factor authentication provides an additional step in the process of logging onto sites such as Loyola’s email server.
In addition to providing a username and password, multi-factor authentication could mean users would have to accept a code on their cell phone as well, Pardonek said.
Popular social media sites, such as Instagram and Facebook, utilize a type of multi-factor authentication called two-factor authentication.
Northwestern University uses multi-factor authentication involving students’ Northwestern ID, password and phone in the login process.
Pardonek said this additional step would provide added protection.
“Even if you provided your login information to someone [through a phishing email], it would be useless because they wouldn’t have your cell phone,” Pardonek said.
While this safeguard is being considered, Pardonek was unable to confirm if it would be launched this year.
However, the Information Security department is also planning to develop a greater presence on campus and at student events to spread awareness. Information Security plans to be at the Sept. 5 Career Fair with information for students.
Incidents of phishing at Loyola have increased in recent years, Pardonek said.
In April, some students and staff received a phishing email impersonating Loyola President Jo Ann Rooney in a ploy to capture users’ login information.
In June, emails imitating the Office of the President, the retired Dean of Libraries and the Provost attempted to lure users into downloading a harmful software. Some users also received an email disguised as Loyola basketball player Marques Townes with similar intentions.
Later that month, some members of the Loyola community received emails once again appearing to be from the Office of the President with similar motives to past emails.
Pardonek attributed the increased presence of phishing in part to Loyola’s greater visibility and press coverage following the basketball team’s success in March Madness last year.
But phishing has seen an increase across many universities, not just Loyola, Pardonek said.
DePaul University reported an increase in phishing scams last summer and implemented a new online training for employees to become more aware of possible online scams, according to an article by information services.
Northwestern University has experienced 21 reported incidents of phishing since March 19, 2018, according to the university’s Information Technology website.
Maddy Matter, a senior studying accounting and political science, said she’s had difficulty determining if emails are fake. She said she’s noticed phishing becoming more frequent over the past few years.
“I did [trust Loyola’s online security] for my first two years and now all of a sudden [phishing is] a problem. I don’t really know what’s different,” Matter said.
Katelyn Gavin, an advertising and public relations student, said she has become more skeptical of online security at Loyola.
“I think they could make people more aware. I don’t know if I’ve ever gotten an email or an alert or something … I kind of just figured it out of my own,” Gavin, a junior, said.
While many thousands of students and faculty experience phishing throughout the year, it isn’t the only security threat at Loyola.
Recently, a data security incident left former and current Loyola employees vulnerable after their personal information was accessed by an unknown, unauthorized individual on a computer in Loyola’s Human Resources department.
Shortly after the incident, the university announced they were reviewing additional safeguards to avoid a recurrence.
Pardonek was unable to provide updates on new security measures but Loyola Communication Specialist Sarah Howell said potential improvements are currently under review.
In the meantime, the university in launching an information security awareness campaign for students, faculty and staff. Faculty and staff will also participate in mandatory information security awareness training.
“Several technology changes to our information security environment are planned for this academic year, as well as a review of instructions on University processes that we may not want to make available to the public,” Howell said. “These activities will make it more difficult to inappropriately access or share sensitive information.”
Security threats coming from platforms unaffiliated with Loyola have also occurred intermittently throughout the past year.
This March, The Phoenix released a report indicating many students’ personal information could be accessed by fraudulent accounts running some Loyola class Facebook pages. The pages have since been shut down.
Students use class Facebook pages to communicate with their peers, but many of those pages appeared to be run by or promoted companies unaffiliated with Loyola.
Another Facebook page, “Loyola University (LUC) Housing, Sublets & Roommates,” was hacked over the summer. A Facebook story from the account asked students to send money to a man named Maurice Davis.
As the school year begins, Pardonek encourages students to send any emails they suspect to be phishing emails to firstname.lastname@example.org as an attachment.
“The more we get, the easier it is to protect,” Pardonek said.
Students can view past phishing incidents on the Loyola Information Security blog, which provides updates to students and staff.