Since the start of winter quarter, members of the University community have been experiencing an increase in phishing attempts sent to their University email accounts, according to an email in early February from Information Technology Services (ITS). According to a University spokesperson in a statement to The Maroon, there was no specific weakness in the security of student email accounts that led to this increase. The spokesperson attributed the increase to a broader trend affecting other organizations as well.
Phishing is an attempt to gather sensitive information from individuals through email or text. These emails or texts are often disguised as communication from a trusted individual or organization, such as University administrators.
The University does not provide specific information about the number of phishing emails sent to students or the number of students who have sent their information. However, a list of phishing emails that members of the University community have received can be found on the information security website.
If a student sends their information in response to these phishing attempts, the University’s ITS works with those students individually. Typically, ITS locks the student’s account and uses an anti-malware software called CrowdStrike to eliminate any malware from their systems.
“We use industry-leading email security tools. The majority of phishing emails do not reach students’ inboxes,” the University spokesperson said.
Fourth-year Bridget O’Shea fell victim to one of these phishing emails in February. She received an email from a UChicago account saying that, as a fourth-year, her account would be made inactive in the spring unless she sent her Duo pin number, UCID, and password to a phone number provided in the email.
“Although I was skeptical of the email, I was stressed that it might be real and I was remarkably tired… so I didn’t stop to think about the now obvious signs that it was not,” O’Shea said. It was 11:30 p.m. when O’Shea read the email. “Additionally, I was fooled by the fact that it came from [what appeared to be] a real UChicago account, [that it] had not been picked up by the spam filter, and that they knew that I was a graduating senior.”
A few days later, O’Shea received a follow-up text asking for more information. “Given that I had more time to think about the email at this point, I began to get suspicious,” O’Shea said.
After seeing that the phone number was from a North Carolina area code and that the person who sent the email was not part of the UChicago Directory, she realized that the email was indeed a scam. O’Shea contacted an on-call IT worker at ITS to fix her account, which she had been locked out of. She described the IT worker who helped her as “extremely helpful and kind.”
On February 28, ITS sent another email to the University community about an upgrade that will be made to the Duo two-factor authentication service that will include enhanced security features. These changes include a three-digit numeric code instead of push notifications and enhanced authentication verification, in which one will have to provide additional verification if attempting to log into their UChicago account on a non-University virtual private network or VPN.
There are many steps the University recommends to students to protect themselves from phishing attempts, which are featured on the information security website. The University said students who receive a phishing message or who have shared any information should contact the University’s Information Security team by calling (773) 702–2378.