A recent increase in email scams — including fake job and internship offers — are coming from more than 100 compromised university accounts, according to Loyola officials.
A Feb. 10 alert from The University Information Security Office (UISO) warned scams may be coming from a compromised account and advised students to exercise extreme caution when opening emails and attachments.
“Please be extremely cautious when viewing emails and clicking on links or attachments,” the alert said. “DO NOT OPEN any attachment or provide any personal or banking information if you do not fully trust the source. Exercise special caution if you receive a communication from an unknown or unexpected source.”
Chief Information Security Officer James Pardonek said in an email to The Phoenix that Loyola typically sees 1-2 compromised accounts per month, however recently they’ve seen over 100 compromised accounts.
Pardonek said Loyola manages around 70,000 accounts and typically sees one or two compromised accounts a month, making the spike unusual.
Pardonek said compromised accounts tend to have weak passwords and may have responded to a notification confirming a login they didn’t make.
Pardonek said the spike was temporary and could be caused by a variety of factors including global events or targeted attacks. He also said the time of year could play a role in it.
“We generally see an increase in job offer phishing emails at the start of the semester, seemingly to attempt to ensnare younger students that are not yet aware that these phishing emails exist.” Pardonek said.
Dr. Eric Chan-Tin, a computer science professor who specializes in cybersecurity, said these types of scammers send out mass emails, texts and phone calls to try and extract information from people.
“Phishing is a generic word for sending a mass email or texts or phone,” Chan-Tin said. “It’s kinda like we are fishing. You throw a line in and there’s lots of fish. You just hope that one of them catches on and go from there.”
These scams can take on multiple forms depending on the type information the scammer is looking for, Chan-Tin said. In some instances, like ones seen recently by the Loyola community, the scammer will try to have the person they’re scamming contact them from a personal email address or other messaging service.
Chan-Tin said this is done to bypass some of the anti-spam filters that services like Outlook and Gmail use to prevent spam from getting into the main inbox.
“Anything that goes to spam is less likely to be viewed by a person,” Chan-Tin said. “So using a different email then reduces the probability of it getting filtered.”
One Loyola student, first-year public health major Elena Hoppmann, said she received several scam emails but didn’t put in any of her information. She said the emails appeared to be targeted towards her because of her major.
“It’s almost like they’re being tailored to me, because being a public health major, I get a lot of emails from the school already,” Hoppmann, 19, said. “There’s like these keywords that seem to specifically be tailored to my degree program.”
Hoppmann said some of the scams were hard to identify because of the variety in approaches they used.
“They seem realistic because of the fact that there’s so much variety in the ways that they approach me,” Hoppmann said. “They’re always all different people as well.”
Two other Loyola students said they experienced something similar. Samantha Thomann, a second-year psychology and criminal justice major, said some of the emails were advertising jobs and internships related to psychology.
Thomann said if circumstances were different, then she might have fallen for the scam.
“The only reason I didn’t reach out was because I was a freshman and still figuring things out,” Thomann, 19, said. “I already had a job and I was gonna look for internships specifically in psych later when I was a little older.”
Another psychology major, sophomore Addie Aldana said the scams looked very realistic to her leading to a sense of disappointment when she realized they were fake.
“It’s a little bit disheartening knowing that they’re fake,” Aldana, 20, said “Us as students, we’re trying to find opportunities to get jobs, and internships so it is a little scary.”
Pardonek said when an account is compromised, the scammer has access to the email lists of the university.
Other types of scams may direct students to a page that looks like a Loyola login page. Chan-Tin said this type of scam was relatively easy to pull off as the coding for all websites is public.
“You can easily copy every picture, every text, and then you create your own website, and you just paste everything,” Chan-Tin said. “That usually involves a bit of work. So what some people would do is just copy-paste the minimum required, so it looks legit, but it’s not exactly the same.”
Chan-Tin said scammers have various incentives for trying to get students’ login information. In some cases, scammers might work under the assumption that people are using that password for multiple accounts, for example a bank. Another reason is to try and compromise a student account as a stepping stone to compromise other accounts.
“[The scammer] could send a real email from the student to say a professor and then you have that professor, click on the link, because a student might say hey, here’s my homework, and the process, you get a professor’s account, then maybe you could use that to go to get an ITS account,” Chan-Tin said.
The scams don’t just affect students either. Pardonek said the scams don’t discriminate in who they target while Chan-Tin recalled a previous instance where professors were specifically targeted.
Some students said the scam emails were easy to spot. Patrick Lewis, an undecided first-year, said the structure of the emails along with the presentation made it easy to spot as a scam.
“First off, there was no structure to the email like you get with most corporation emails,” Lewis, 19, said. “It was filled with grammatical errors and just something about it sketched me out about it.”
Alise David, a sophomore nursing major, said the scams were easy to pick up on because none of them included her name, they were very vague on details about what they were offering and the font of the email seemed off.
“There weren’t really any specific details in it,” David, 20, said. “I think it was advertising a job or a position of some sort, but that was it. It’s strange that I would get that advertisement with no further information or details or anything.”
As for what students can do to protect themselves against the scams, Pardonek directed students to a UISO website which includes tips on how to identify the scam emails which includes a sample scam email. Padonek also directed students to a website run by Career Services which also helps students identify scams.
If a student or faculty member wants to file a report related to a phishing scam, then Campus Safety can assist them in filing that report, Loyola spokesperson Anna Shymanski Zach said in an email to The Phoenix.
In addition Chan-Tin said to avoid clicking on links in your spam folder, install an antivirus on your computer and avoid unknown websites.
If you do find yourself a victim of the scams, Chan-Tin said to take steps to protect your accounts and change any information you gave to the scammer. These steps can include changing your password, contacting your bank and putting a freeze on your credit to make sure people can’t take out credit cards with your identity.