News

Phishing torments webmail

Phishing scams have become an increasing problem for Technology Services and students using Puget Sound’s webmail. Lack of awareness and caution make students vulnerable to these scams, which when responded to, can compromise a student’s webmail account as well as the University’s reputation.

“There has been an increase in the number of phishing scam messages that folks receive, and therefore the number of folks who fall for them has gone up. It could be, too, that people are just more apt to give out personal info online these days.  I do know that some of the phishers have become more sophisticated in their scams,” says M. K. Smith, Communications and Project Manager of Tech Services.

“It generally goes in waves. I would say we are in a high point right now,” says William Morse, Jr., Chief Technology Officer and Associate Vice President for Technology Services.

Phishing emails are a specific type of spam, which ask students to devolve their webmail username and password by either submitting it directly to the sender or redirecting students to another site that very closely resembles Puget Sound’s  webmail login page.

“When somebody responds to a message they’re hurting themselves and others as well,” says Smith, “When somebody gives out a password, we have to lock that account down. We have no choice. That’s why someone’s account will get quarantined, and they need to come to the service desk to reset their password. There’s also a Password Security Agreement that we ask people to sign. It’s not to punish them, but to educate people.”

According to Tech Services, if a student’s webmail is compromised it not only makes their webmail username and password available to an unknown party, but it also hurts the University and anyone else who uses a “pugetsound.edu” email address. When a “phisher” gains access to the student’s email, he or she has the ability to generate spam.

This student’s account then becomes a liability to the University because of the massive amounts of spam being sent out by their email. As a result, places that receive these spam messages and see the “pugetsound.edu” will block the University and any email from there.

According to Morse, most of the time when a student’s webmail is compromised, Tech Services does not require the student’s computer to fix the problem. “There are some cases where we would want to work on the person’s computer if they have gotten some sort of virus or if they opened an attachment containing a botnet, which actually uses the computer itself to send spam, instead of just the Puget Sound email,” said Morse.

Jaki Nestor, a student at Puget Sound who responded to a phishing email said, “Well, it was quite a debacle, but Tech Services was really nice! I received over a thousand e-mails which clogged up my work e-mail and I got really backed up in work.”

“For some reason I didn’t even think really closely about it, the e-mail seemed straight forward so I answered it to get it out of the way and move on to more important work. I just called Tech services, they educated me a bit, fixed the problem and that was it, problem solved. I will definitely not do it again, that’s for sure,” Nester said.

There are some clues to look for that can help students spot a phishing scam, including spelling and grammatical errors. And although some scams are becoming more indiscreet, there are still some that are easily spotted by the sender’s email, like those not from a “pugetsound.edu” address.

However, more sophisticated phishing emails may actually have a “pugetsound.edu” at the end of the sender’s email.

There was one instance that the phishing email redirected students to a login page that very closely resembled Puget Sound’s webmail login page, but the URL was not from the University. Often times these emails will present an ultimatum that the students’ accounts will be terminated or their accounts need to be updated, requiring students to offer their password. Tech Services will never ask for a student’s password or threaten to close their account.

Spam emails are not automatically sent to everyone, which make them difficult to track down.

If students are ever in doubt as to the legitimacy of an email, they can contact or email the service desk.

Everyone’s webmail accounts are equipped with anti-spam software, which filters all incoming email. Unfortunately, this does not eliminate the possibility of receiving spam.

According to Mark Young, Director of Network and Server Systems, approximately 94-95 percent of all email on the Internet is spam.

According to Morse, it is difficult to prevent all phishing emails because there is nothing really unique to them. Many phishing emails also generate from other accounts that have been compromised, which means that it may seem like it is coming from a legitimate sender when it really is not.

Tech Services has been discussing possible add-on products, which can further protect students, faculty and staff.

“When we find out about one of these emails, we do redirect any replies to that particular address to a specific account set up by the University. And then what we do is notify that person that that was not a genuine email,” said Young. “When we catch it like that, it’s actually quite effective because the student’s password never gets out.”

According to Tech Services, unfortunately, if a student is not on campus, there is nothing the University can do. Technology Services want students to be as wary of their login information as they are wary of their social security numbers.

“The person who’s really empowered to make a difference is the user themselves. Just being careful. You need to be as careful with your passwords as your keys,” says Morse.