The Webster Information Technology Staff alerted students to the phishing attempt on Jan. 21.
Webster University students and faculty were the targets of another phishing email scam. A series of e-mails with the subject line “Pandemic Grant now Available” were sent out by a variety of senders claiming to be with Webster’s financial aid offices. On Jan. 21, the Webster Information Technology staff notified students of the spam
According to Patrick Giblin, director of Public Relations, neither students’ nor the school’s financials were compromised. Giblin informed The Journal the attack was not meant to access financial aid and was unsuccessful in gathering the information to do so.
Instead, the purpose of the attack was to gather contact information from students and faculty to send phishing scams to their contact lists. The emails asked students to open a PDF, which had a link to a fraudulent version of the Webster University login page. The victim would attempt to login to claim what they thought was aid in a trying time. However, they were giving their login credentials to cyber criminals.
“The link was not a spoofed version of the Webster Portal,” Giblin stated. “Rather it was a Weebly page that attempted to look like an official log-in page. It also should be noted that on the Weebly page, the word ‘password’ was misspelled, which was an immediate clue that it was a phishing attempt.”
Giblin informed The Journal that this is the most common form of online scam.
“Most modern online scams rely on the end user to be manipulated or tricked into clicking on a fake link and surrendering personal information,” he said. “So, it has become vital to make sure that everyone has the knowledge to identify these attempts and prevent a theft from happening.”
Giblin pointed out that Webster University remains vigilant in attempting to prevent and thwart these attacks. However, Giblin pointed out that it will remain a constant effort as cyber criminals and their technologies evolve over time. To further combat these attacks, the university has begun disseminating information to students, faculty and staff on these attacks. Giblin stated that online cyber awareness training has become mandatory for Webster University staff this year.
Despite Webster’s efforts, student Shelbi Patterson fell victim to the scam. Patterson pointed out that the subject line caught her attention right away due to the claimed financial relief. James Curtis, the lead cybersecurity expert with Webster’s Math and Computer Science Departments, pointed to this as a common ploy used by cyber criminals. As the pandemic has taken a toll on people’s finances, they are especially susceptible.
Patterson opened the email early in the morning at a time she was tired. She had doubts, but believed she was accessing Webster’s login page at the time. Luckily, one of Patterson’s peers contacted her shortly after she opened the email to inform her of the scam. Patterson immediately contacted the university which informed her to promptly change her passwords and monitor her account. She did not report any further issues to The Journal.
Giblin stated the attempted scam was detected within moments by Webster’s IT staff and were able to block further spam emails quickly. Any student who did click the link was instructed to change their passwords and monitor their accounts, just as Patterson was. However, Giblin acknowledged the university currently does not have an accurate number of how many students were affected.
These types of attacks are inevitable, according to Curtis.
“The school has a really good information security program,” he said, “[but] we will never ever be able to keep these from occurring. No organization can.”
He pointed out that social engineers are always evolving in terms of the technology they employ and the methods they use. Curtis pointed out that social engineers will use open-source intelligence, in which they use social media networks such as LinkedIn, to get a connection with an individual affiliated with the university. From there, they will attempt to use a phishing scam on this individual to gain access to the school’s email directory to scam more people. The larger an organization is, the more likely they will be able to infiltrate through one or a few individuals.
Like Giblin, Curtis encouraged education as the most efficient way in protecting yourself and others from these attacks. While Curtis pointed out the strength of Webster’s virus, spam, and IT protections, training still proves to be the most effective.
“It’s a painful thing to be a victim of a cyber-attack,” Curtis said.
Curtis encourages Webster students to check the U.S. government’s Cybersecurity and Infrastructure Security website. The website, found at cisa.gov, has an abundance of resources to better educate oneself against these types of attacks to protect their personal data. Curtis also encouraged students with a deeper interest on the subject to take his course: COSC 2710 Social Engineering and Society.
When it comes to future malicious emails, the IT department has instructed to students to look for these warning signs: “Email ‘From’ name and/or signature not matching the ‘From’ email address, spoofed links/web pages (links that appear to go to a legitimate web site but upon hovering your mouse over the link actually point to a different and malicious web page altogether, unexpected email attachments and/or links, requests for private or sensitive information, threats of account shutdown, promises of money and/or requests for money, gift cards and/or bank account transfers, and incorrect spelling, bad grammar and/or excessive capitalization.”
If a student has a cyber-related concern, they have been instructed to promptly contact the Webster IT Support Desk via phone at 314-246-5995 or toll-free at 1-866-435-7270, or via email at firstname.lastname@example.org. Announcements on previous or ongoing phishing scams can be found at https://legacy.webster.edu/technology/service-desk/technology-news.html#phishing.