November 18, 2017

Webster university targeted in phishing cyberattack

Webster University was targeted by a phishing attack attempting to access email accounts on Thursday, Nov. 2. The e-mail was sent from the account of an adjunct faculty member and was designed to replicate a message from the president and provost.

The subject of the message said “FW: Important Message from the President and Provost Webster University Employee Communications (11/02/2017).” The message contained a link encouraging targeted users to read a document about employee communications.

Director of Public Relations Patrick Giblin said Webster’s IT Department identified the phishing message within two minutes of it being sent. They were able to contain the message to two impacted email accounts out of 4,457 targeted. Giblin said IT shut down the compromised accounts in order to prevent phishers from accessing any personal information.

All targeted email account users received an email from the IT Department warning about the fraudulent message and how to further prevent similar issues in the future.

Giblin added this was not the first phishing attempt against Webster.

Phishing often occurs through email, where hackers attempt to trick someone into revealing personal information. This can include bank account numbers, social security numbers and birth dates.

James Curtis, an assistant professor of cybersecurity at Webster University, said good phishing efforts are partially true because they use easy to find information from the Internet such as where you attend school or where you work. He said if people take precautions, there are simple ways to identify phishing attempts such as the language used in the message.

“One of the things I tell people is to look at the address and see where it is from,” Curtis said. “Everyone at Webster University is webster.edu and if it says ‘websteronmicrosoft.com,’ which is what this email said, shouldn’t that tell you something is wrong?”

Curtis and Giblin said phishing attempts on universities are becoming more common. Between 2006 and 2013, over 500 universities reported cyberattacks, according to Data Privacy Monitor.

Curtis said universities are subject to phishing attacks be- cause historically, they do not have the same level of cybersecurity as businesses such as Edward Jones.

“If you think about it, a university not only has a lot of your personal information data, but we also have financial data on students, we have grades,” Curtis said. “I think some of the attackers, primarily the criminals, are now saying ‘Hey these are good places to go’ whereas in the past they may not have been thinking about universities so much.”

Curtis is currently working with the IT Department to develop a security awareness program for the university. The purpose of the program is to raise awareness on security and cybersecurity issues such as phishing and spoofing and how to prevent and recognize potential cyberattacks.

“I am a big proponent of starting these programs at Kindergarten,” Curtis said. “If they are getting Kindles for children, they can get on the Internet. So, we need to start talking to them about what to click on and what not to click on at the age appropriate level.”

Curtis believes offering security awareness programs and educating young children on proper Internet usage can greatly decrease the amount of cyberattacks.

Share this post

Facebooktwittergoogle_plusredditpinterestlinkedinmail