Protecting Your Institution from Phishing Attacks: Education and Awareness Resources

Although phishing is not a new threat to the higher ed community, many schools have experienced an increasing number of targeted phishing attacks over the past several months. These phishing e-mails ask students, faculty, and staff to provide their institutional username and password. Once an account is compromised, it is typically used to send out more spam, which creates a new set of problems for the institution.

Many schools are working to combat these phishing attacks through education and awareness activities over the next few weeks as students return to campus. In an effort to assist institutions, EDUCAUSE has compiled a number of phishing resources that include websites on phishing, quizzes and games, and downloadable materials (e.g., posters, brochures, bookmarks, postcards, and videos). Please share any additional suggested resources with the Higher Education Information Security Council (formerly the Security Task Force).

Examples of What Campuses are Doing to Combat Phishing Attacks

Yale University has asked their Information Technology Services (ITS) department to help inform their community of phishing messages and protect their computing environment by adding the following e-mail signature block:

NOTE: Yale ITS will NEVER request passwords or other personal information via e-mail. Messages requesting such information are fraudulent and should be deleted.

Illinois State University posts any ISU-specific phishing emails they receive to their Alerts website. ISU has also just implemented a new system that will detect compromised e-mail accounts. When a compromised account is detected, they secure it by blocking send-mail permissions, deleting the phishing signatures from Webmail, expiring the user's password, creating a ticket for the problem (which is assigned to Help Desk), and sending an e-mail notification to the end user and to the Abuse team. This is an automated solution that requires human intervention only at the tail end -- when the Help Desk contacts the user to assist in completing the process. Finally, ISU has posted several phishing-related knowledge base articles on recognizing "ILSTU Team" phishing scam e-mails, how to avoid phishing scams and identity theft, how to recognize phishing e-mails, understanding phishing e-mails, and recognizing "ISU Credit Union" phishing scam e-mails.

Rochester Institute of Technology (RIT) has sent out several Information Security Advisory e-mails warning students about the Safe Use of Blogs, Wikis, Forums, and other Web 2.0 Tools and how to recognize Phone, E-mail, and IM/Social Networking Phishing Attacks. RIT has also sent an e-mail about Phishing Attacks Targeted at Specific RIT Managers.

Cal Poly Pomona sent a letter from the Information Security Officer (ISO) in response to recent phishing attacks:

Dear Faculty, Staff, Students, Auxiliaries, and Emeriti,

Over the past month, Cal Poly Pomona (like many other institutions) has been a target of fake (or "phishing") email offers/warnings. These malicious messages are meant to trick users into sending sensitive information to spammers. The best thing to do with these email messages is to delete them.

Quite a few of you have already emailed us to tell us about an email message where the sender is claiming to be Cal Poly Pomona IT staff and asking you for your password and personal information.  Good job recognizing this as being spam!  Many of those who wrote worry that others may fall for this dirty trick.

Cal Poly Pomona will never ask you to provide your password or social security number (or other personal information) by email.  If you ever haveany questions or concerns regarding fake email offers/warning, you can contact the Cal Poly Pomona Help Desk at 909-869-6776, send an e-mail tohelpdesk@csupomona.edu, or checkout our latest eHelp page on "phishing" scams at http://www.csupomona.edu/~ehelp/scams_phishing.shtml.