By Katie Meyer
Monday morning, a Fordham email account was hacked by an unknown source, and an email was sent to a large portion of the student body.
The email account’s actual owner noticed the hack a few hours later and sent out an apology for the email, which contained only an invitation to edit what appeared to be a Google document.
However, Fordham’s IT department says it is more likely the email was a scam — a phishing scam, to be exact. Phishing is one of the most common types of online attacks, and it is generally used to steal confidential information, usually through email or similar platforms.
Fordham has experienced phishing incidents in the past; one of the most serious came last January when an executive administrative assistant was hacked, and her account information appropriated. The damage was serious enough that more than 1,500 student accounts were put at risk.
The most recent scam was not as severe, Elizabeth Cornell, IT’s communications specialist, said. Regardless, it has been a while since there was a large-scale phishing email sent to the student body.
Cornell said she did not know many details about the email. The total number of accounts it reached, for instance, was not noted.
“I don’t think we really know where it actually came from,” she said. “That’s part of the nature of a phishing email; it’s very difficult to trace the sender.”
Later in the day after the initial phishing message went out, IT emailed an alert to all the people who had received the message. Cornell said that this email, as well as the IT website, should be enough to inform students on how to proceed.
“The best course of action for someone who receives a suspicious email is to follow the instructions on IT’s website. [You can also] forward it to it customer care,” she said. “It can also be helpful if, when you see an email that seems suspicious, hover your mouse over it. If what shows up doesn’t match what you think the source should be, like it’s just a long string of gibberish, then don’t click on it.”
Cornell said that for situations like these, IT has a fairly formulaic strategy.
“[We] look for evidence of anyone who clicked on the email and may have compromised their account…then we activate blocks on the links so that students can’t click them anymore,” she said. “We have a really solid system in place…it’s tried, it’s tested. We dot our I’s and cross our T’s.”
Still, she noted, new challenges pop up fairly often in the world of online hacking.
“The people who do phishing emails and spam are constantly evolving — it’s just a matter of not getting complacent,” Cornell said. “We’re in a good place, because Shannon [Shannon Ortiz, director of IT security] is about the least complacent person. I think we stay on top of it.”
Even so, she added that it does not hurt to be prepared. There are a few steps students can take to keep their information safe if they do fail to notice a suspicious email click a bad link. The best, according to Cornell, is to immediately call IT’s customer care.
If students do not take action, there can be very real consequences.
“They could put malware on your computer, they could have everything you do be watched or recorded externally … there have even been cases where computers have been locked down or owners have lost control of their devices,” Cornell said.
In the end, she emphasized, prevention is best.
“Some students still click on the links,” she said. “But if you just pay attention, if you just look at what’s being sent to you, you can generally tell it’s a phishing email. There are signs. It’s just about being careful.”