BGSU Informational Technology Services stops 693 million spam emails every year before they reach the inboxes of students, faculty and staff. Attackers are constantly trying to poke holes through the filter and occasionally get through.
When attackers breach the filter, students should take their own precautions to avoid being a victim. According to ITS Chief Information Security Officer, Matthew Haschak, signs of malicious email include generic greetings, poor grammar or spelling, arrival at times such as 2 a.m., misleading links, calls for urgent action and unexpected attachments.
Malicious email can be used to snatch accounts for use by scammers. In 2017, the number of account takeovers peaked at 1,837.
So far in 2019, the number of account takeovers has decreased to 543; a number which is “still more than we’d like,'' according to Haschak. Every time an account is taken over, it requires at least 30 minutes of staff time, adding up to over 271 hours spent recovering accounts this year.
Haschak says ITS uses defense-in-depth strategies, adding multiple layers of security to make successful cybercrime difficult. The use of Duo two-factor authentication software is a key part of stopping email account takeovers, because it requires an extra bit of constantly changing information, making gobbled passwords useless. Duo is optional for email, but students should seriously consider enabling it.
However, not all methods of Duo are equally secure. Haschak says using Duo with a phone number, but not the app, is vulnerable to a SIM jacking attack, where phone companies are tricked by scammers into transferring your phone number to a scammer. Haschak says there have been no known incidents of SIM jacking at BGSU, but given its recent rise in use by cybercriminals, he remains vigilant.
Each text message and phone call sent by Duo also costs BGSU money. While the amount for each is only a fraction of a cent, it adds up to thousands of dollars each year. This money could be spent improving other technology on campus, such as better Wi-Fi or more ITS helpdesk resources.
Haschak recommends using the Duo app for the best security and convenience. Another secure option for students is called a Duo Token. This physical token can be loaned out for free from ITS as a backup option for International Travel or in the event a smartphone is damaged and needs repairs. A token can also be purchased for permanent use at a cost of $20, which is what ITS pays for the unit.
A common scam noted by Haschak, which has claimed several victims at BGSU, is a targeted gift card scam. Scammers will find an organizational chart of employees and create a Gmail account pretending to be a supervisor.
They will send their target an email, pretending to ask a subordinate to get them many gift cards from Wal-Mart, with the promise of reimbursement. Once the codes on the gift cards are sent to the scammer, the target is not reimbursed. Because of the international nature of email, the money is gone for good.
A common scam Maison DeWalt, a senior studying supply chain management and international business, sees is a professor looking for a student employee. He said he receives a couple emails like these in a week, and they are usually from people outside of BGSU.
He says has never clicked on attachment in scam emails and says he is pretty on guard for these things.
Mariah Grow, a junior studying biology estimates she gets “at least 8 a week.” She noted one such spam email was for a $500-a-week job on campus at a professor's lab.
“It didn’t even specify who the professor was,” she said.
Grow also said, "I get a lot for honors fraternities that aren’t even on this campus — but I am in one that actually is on campus, and they always make the joke that when they send out recruitment emails that it just seems fake.”
Legitimate Phi Sigma Pi communications have sometimes been lumped in with the spam messages, noted Grow.
When faced with suspicious emails, it is important to not open attachments or click on included links. Forward the email to firstname.lastname@example.org for review by a professional.