College and University IT beware: Students increasingly targeted by phishing attacks
Hackers don’t discriminate when it comes to phishing attacks. They cast as wide a net as possible. That includes college students.
It’s logical to believe that a generation that grew up on technology should be savvy enough to avoid falling victim to phishing attacks. But that hasn’t stopped targeted attempts on college campuses across the country.
Unique characteristics of college students make them vulnerable to attacks. Many are on their own for the first time and may not have had previous experience with how banks, government agencies and employers correspond with consumers. Therefore, emails that look official enough can fool them.
Additionally, more than most groups of people, college students need money. Sometimes emails offering a way to make quick cash or pay for tuition are too tempting to resist. That’s why many phishing scams aimed at college students offer scholarships, student loan forgiveness, credit card debt consolidation or “good-paying” jobs.
In one common example, official looking emails claiming to be from a government agency or nonprofit offer students grants and scholarships to pay for tuition. They usually require the recipient to click on a link, which takes them to a landing page where they are required to input their bank account information to receive the funding.
Students’ pervasive use of social media also makes them a prime target for phishing attempts. A simple version of a social media scam is sending an email claiming that the recipient’s social media account has been canceled. The messages provide a link to reactivate the account; but the link is used to install malware or obtain personally identifiable information.
Examples of recent phishing attempts on college students include:
- North Carolina State University has reported sophisticated attacks in which the perpetrators actually create near perfect copies of the school’s login pages with references to the university and even specifics about the student.
- Louisiana State University recently advised students that spam bots were sending emails pretending to be from the school’s ITS Help Desk.
- An email claiming to be from the college president was sent to thousands of Dartmouth College students earlier this month. The goal of the message was to have recipients download malicious software or provide their school intranet login credentials.
- Students and faculty at California-based Claremont Colleges received phony emails sent from hacked email accounts. The emails contained an external link that prompted the recipient to sign into their respective accounts. Hackers could then steal those credentials.
- In January, the FBI’s Internet Crime Complaint Center (IC3) cautioned students about a fake job scam targeting college students. Potential victims received messages into their college email accounts promising part-time jobs with flexible hours and good pay. Students who answered the ad were offered a job and sent a check for their first “” They were then instructed to keep a portion and send the rest to another party in the scam. Unfortunately for students who fell for the scam, the checks were fake; and they were responsible for the money withdrawn against it.
- In August 2016, the Internal Revenue Service issued a warning that scammers were calling students or their parents demanding they pay an overdue “Federal Student Tax.” The callers would impersonate IRS agents demanding wire transfers to satisfy this fake tax bill.
To minimize the risk of students falling victim to phishing attacks, communication is essential. Schools should frequently warn against these scams. Inform students — and keep reminding them — that no department on campus would need to verify email or account information via email because IT can trace that information within its own database.
Helping students recognize the signs of phishing attempts should be part of orientation, and any attempts discovered on campus should be communicated to all students and faculty as soon as possible.