The Higher Education sector is a lucrative hunting ground for fraudsters – using phishing tactics to steal username and passwords, unlocking systems and enabling access to the University’s and the user’s own data.
Earlier this year, Lancaster University reported a breach that involved the loss of a significant amount of student personal data that can be monetised or used for further fraud against those students affected.
Fraudsters have been reported to
- target students with false invoices, demanding direct payment to the fraudsters
- launch phishing campaigns against students, staff, and other universities
- redirect salary and expense payments from staff members to their own accounts
For Hallam, attacks have increased in severity over the last few months and we’ve seen increasingly sophisticated phishing campaigns since early 2019. These attacks are often successful because they direct users to sophisticated log-in portals that look like our own Office 365.
DTS monitors these attempts and aims to intervene as early as possible to reduce the opportunity that fraudsters have. The new email ‘caution’ banner (usually in yellow) at the top of all external mail is one of several measures put in place to highlight the risks in online activity. DTS also supply a CyberAware online training module which aims to help staff identify risks, and how to combat these. We encourage all staff to complete this for the safety of themselves, and the University.
Ultimately, it’s down to individual users to be wary of unexpected emails that require documents to be opened or to log-in to a website. Please remember to
- Check the sender (the new external email caution banner should help to identify external senders, treat these more cautiously).
- Check the address of any email links (always hover the mouse over them before clicking – this can sometimes be a giveaway).
- Check the website address if you have clicked a link (don’t just assume it’s a University website because it uses our branding – fraudsters are good at copying).
- Stop and think before logging-in, if anything at all feels ‘off’ then don’t go any further, contact IT Help before proceeding.
If you find something suspicious, or think you might have already been compromised, contact IT Help on 0114 225 3333 immediately.
Digital Technology Services is increasing the visibility of potentially fraudulent email by marking all email from outside the University to remind users to treat links or attachments with caution. This is an increasingly common tactic across the HE sector to help users to better identify fraudulent email, reducing the risk to them and the University.
Over the past month the University has seen a big increase in phishing, with over 3000 fake emails being delivered to University users’ mailboxes. While many recipients identify them as fake and report them so DTS can take action, the emails and web pages linked to are often convincing enough for some people to be taken in, providing usernames and passwords or other personal data to the attackers. Where we can trace that a user is at risk from an attack, DTS can take action and have reset over 100 hundred users’ passwords where suspicious activity is observed.
Once a user’s username and password are compromised like this they are exposed to a number of risks which have recently included use of their mailbox to launch further phishing or fraud attacks against other University users and changing staff bank details in Core to redirect salary payments to an attackers account.
The CyberAware online training
shows users the key risks in online activity, such as mail and web browsing, and how to deal with them. We recommend all undertake this regularly. While DTS can identify accounts at risk and support users in recovering control of their account, we cannot help where data or money has already been lost. For this reason it is important for the protection of University staff and students that we help people identify suspicious activity and take appropriate action.
If you ever accidentally click on a suspicious link, contact IT Help on 0114 225 3333 immediately.
An ongoing phishing campaign targeting educational institutions in the US and the UK has now been seen by some SHU staff members.
Messages often appear to be from a known contact of the recipient and contain a subject line that has been used previously in communications between the sender and recipient e.g. “Re: Sheffield Hallam Open Day- Saturday 18th August 2018”.
The message may contain very little text and what looks to be a green button labelled “Display Message”, “Click here to view message” or similar text. Below is an example:
This button should NOT be clicked. If you do accidently click it, do not enter your username and password on the webpage that you are taken to.
If you have already entered your credentials, then the you must change your password immediately, using the “Changing your password” link on the Staff homepage or by visiting http://go.shu.ac.uk/password.
Instructions for dealing with phishing emails can be found here: https://portal.shu.ac.uk/departments/is/ithelp/helpme/pages/suspicious_emails_phishing.aspx
There have so far been relatively few of these emails seen at SHU but the experience of other educational institutions suggest this situation may change
A cyber-awareness course is available at http://go.shu.ac.uk/cyberaware – completing it will help protect yourself and the university.
GDPR is coming into effect on 25th May and will herald a big change in the way organisations hold and manage personal data.
As such many organisations will need to seek consent from existing and new users, you may have noticed an increased number of emails asking you to either review privacy policies or grant explicit consent to continue receiving emails, etc.
We’ve become aware of a number of phishing campaigns purporting to be from a well-know organisation/brand with the sole intent of getting login details from recipients who respond. Further details are in this article:
As always, take care when dealing with emails inviting you to click on external links
- Check the sender’s email address carefully (phishers often use slight misspellings to dupe the unwitting into clicking)
- Check any link in the email by hovering over it, if it doesn’t look quite right it likely isn’t
There’s no indication that the SHU community is being targeted so there’s no need to be unduly worried but do be careful when dealing with these types of emails – both at work and at home
The University has received notification of fraudsters running sophisticated scams at other universities to obtain users’ login details for the HR portal. These details are subsequently used to change bank account details so wages and expenses are paid to the fraudsters.
On receipt of this notification SHU is taking the following action:
- Contacting all staff who have changed banking details since the last pay day on January 15th verifying the change is legitimate
- Adding filters to the SHU mail systems to block known e-mail subject titles. A search of the logs show no previous use of these subject titles in previous emails
- Communicating with staff via the staff intranet, eView and the IT Security Blog
There’s no indication that SHU has been targeted yet and staff are being informed of the current risk via a number of channels.
As always please be aware of unsolicited emails enticing you to click a link or open an attachment. This particular phishing attempt used both branded emails and a branded web login page indistinguishable from the actual HR employee portal
- had any suspicious/unsolicited emails
- clicked on a link in an unsolicited email taking you to the Core Portal
- entered username/password into the Core Portal that has subsequently failed to load
Please contact the helpdesk on 3333 or via ITHelp@shu.ac.uk
For more information see this article on protecting yourself from phishing fraud and this advice on the staff intranet about dealing with suspicious emails.
Phishing uses fraudulent emails, texts and phone calls to obtain personal and financial information (such as account details and passwords) or to trick people in to performing an action (such as authorising a payment). These attempts are becoming increasingly professional and try to appear genuine by mimicking the look and brand of companies or organisations to gain trust.
Fraudsters often invest a lot of time and effort in trying to hack the accounts of people who have access to budgets or personal, sensitive or confidential information. Targeted attacks are known as ‘spear phishing’ and phishing high value targets in an organisation is known as ‘whaling’.
This video (courtesy of one of our suppliers, Cisco) gives an insight into how a hacker might think and act.
There are several ways to spot phishing emails:
- Be suspicious of any urgent requests for personal or financial information
- Be wary of attempts to make you take immediate action around financial payments, transfers or authorisations
- Check the quality of the communications. Misspelling, poor punctuation and bad grammar are often tell-tale signs of phishing
- Check hyperlinks and email addresses by hovering over them to show where they lead. If they aren’t genuine, they will often be peculiar web or email addresses.
How can you protect yourself?
- Always ensure you are using a secure webpage when submitted credit card or other sensitive information. Secure web addresses begin with ‘https://’ and/or show a security lock.
- Do not give out personal information in response to an unsolicited email, phone call or text.
- Be sure you are going to the correct site by typing in the address yourself
- If in doubt, call the company or individual which the email claims to be from. They will usually be able to confirm whether the communication is genuine or not.
- If you think one of your accounts has been compromised, you should change your password immediately.
If you’ve responded in the past to one or more phishing emails be aware that you may be the target of further, more sophisticated attacks via email or phone.
If you have clicked on a suspicious link or opened an attachment, suspect you have a virus or have any other IT Security concerns, please contact IT Help.
For more advice about dealing with suspicious emails, visit the University’s IT Help pages.
You might find this Lynda.com playlist on Cybersecurity useful too.