A phish in the water: Phishing attempts can be hard to avoid, detect, WSU officials say

Andrew Linnabary

Wichita State traffics 3.3 million emails a day to students, faculty and staff, but only 10 percent are valid, said David Wright, chief data officer at WSU.

 “That just tells you the magnitude of how we’re getting hit,” he said. “When you’re the police officer on the beat, you see everything is bad.”

The most recent phishing attempt happened Monday when users were notified via email by WSU not to comply with a message asking users to increase their mailbox size.

Rob Phillips, WSU’s manager of server support, explained that phishers “cast bait out” to electronically communicate their way into a system. Some steal graphics from the pages or sites they are posing as.

Phillips said once a victim provides a password, the phisher sends out thousands of pieces of spam, posing as the victim’s account.

A phisher’s main goal is to send out spam, but some are much more nefarious. A phisher may pose as a WSU staff member or other official and ask for social security numbers or other information, Wright said.

He said the consequences of not being diligent online can jeopardize the institution.   

“We’ve become complicit in our day-to-day activities, largely because we’re so busy,” Wright said.

He said it’s not just an issue for students. Faculty and staff make the same mistakes.

A year ago an employee was working with a vendor to remodel their house, and the vendor wanted to verify that the employee’s credit card information was correct, Wright said. The vendor sent the employee’s credit card information to their campus email.

“Within an hour, that person had charges from Africa for airline tickets,” Wright said.

Depending on a WSU employee’s level of access, a phisher may be able to add or drop students from classes, pull up academic records or view payroll and employment information, Wright said.

WSU uses a 90-day password period, leading students, faculty and staff to use weak passwords, Wright said. Many reuse old passwords and change the number at the end of it.

 “The biggest mistake is reusing passwords. What can happen is if you accidentally give away your WSU password, and it’s also your banking password, then they may not have too hard of a time getting into your banking account,” Phillips said.

Phillips said getting a password wallet that stores multiple passwords is good for creating stronger passwords that don’t need to be remembered. He recommends LastPass, which is free for general use.

When making passwords, avoid using personal information. Many people tend to put their birthday or wedding date, Wright said.

“People say, ‘I don’t have anything on my computer, what do I care if somebody gets in?’ Well, they want your IP address. They want to be able to attack other computers from your computer and make it look like it’s you, whether you have any valuable information on your machine or not. You’re providing them a vector to be able to attack others from,” Phillips said.

For every gain, and the more people that become educated, new ways of getting personal information are devised, Wright said.

 “We lock our cars because we’re pretty much certain that they’re going to be stolen if we don’t, and yet we do not have the same attitude toward emails.

Ten tips to prevent security breaches

1. Don’t give away your access. If a request wasn’t solicited by you, don’t assume that it’s legitimate.

2. Don’t reuse your passwords for every site.

3. Don’t use easy or simple passwords. They should have at least eight characters with a mix of upper and lower case characters, numbers and symbols.

4. Close the browser before you leave any computer.

5. Lock your computer when you walk away.

6. Don’t send banking or credit card information over email.

7. Don’t send your birthdate or social security number over email.

8. Don’t click on links in email. They could install malware on your machine that will steal your credentials.

9. Make certain that your operating system patching and antivirus software are up-to-date.

10. Don’t use public, unencrypted Wi-Fi to access university systems without the use of a VPN.