By: Mikayla Alexander
In the internet age, phishing or scamming attempts are a stranger to no one. The rise of this internet issue is said to have begun in the mid 1990’s using AOL. "The History of Phishing” by Phishing.org states,“Phishers conducted attacks by stealing users’ passwords and using algorithms to create randomized credit card numbers. The random credit card numbers were used to open AOL accounts, which were then used to spam other users and for a wide range of things.”
Photo by Microsoft Learn
By 1995, AOL cracked down on these attempts and the algorithms used for generating credit card numbers. Phishers then moved on to the most common technique by pretending to be AOL employees through email and asking for sensitive email or financial information.
Today anyone with online information or an email address is at risk, even those within a university database. It even seems as if those targeting UMSL specifically are possibly aware of the timeframe in which a student is obligated to change their school email password, which is roughly every six months. This information is open and even posted on the UMSL website for students, but depending on when your password was last set up, the date for every six months could be different for everyone.
Around October, I reset my student email password. Less than a week later, I received an email in my school account telling me that my password was overdue for a reset and that I had until the end of the day to do so before Microsoft would delete my account. I recall being extremely hesitant and even second-guessing myself despite knowing I had already secured my password. Two things prevented me from believing the legitimacy of this correspondence.
The first thing was the simple fact that I had reset my password already using the UMSL password services accessed by their Password Management Tools site.
The second thing that prevented me from being a victim of this phishing attempt was reasoning. The attacker made it seem as if had been frequently contacted already to change this password, hence the urgency of it needing to be done by the end of the day before my account was closed. I acknowledged that no attempts of communication regarding my password had been made in frequency. Secondly, I acknowledged that Microsoft or UMSL shutting down my account completely and at random, was highly unlikely.
Despite being able to avoid this phishing attack and using my reasoning to deduce it as such, another factor outside of the message content caused my hesitancy. This factor was the presence of the red banner warning that is automatically employed when a message is from “external sources.”
This red warning banner is also used for verifiable senders such as campus announcements made by the Recreational and Wellness Center (REC). Obviously, with phishing, we are educated on using certain deductive skills, and it might be easy to tell what a campus announcement is versus what a phishing attempt might be. Despite that, I would still question this seemingly singular technique’s effectiveness.
Why would the red banner make itself present for legitimate and suspicious activity, instead of just giving clearance to confirmed 3rd party web apps used for campus communication? Could there be a more effective way, that is currently being worked on, so that school email algorithms can be adapted to warn students only of legitimate suspicious activity?
What I found most alarming in this experience was the timing. I cannot help but question whether the attacker was monitoring the date of when my six months were coming up and hoped I would mistake them as legitimate correspondence when the time came. It could be possible that they were aware of my deadline coming up but did not perceive that I would change it earlier and wanted to quickly attempt to get control of the situation as well as my information. I questioned if they did not know at all about the date of my six-month deadline but were monitoring my activity when I did change my password and were hoping for the urgent message to scare me into changing it again.
One overarching question I have is, why attack students and staff specifically? If anything, the growing digital reliance both in everyday life and academia would help equip us with vigilance against these attacks. Are they perhaps still relying on a lack of awareness of what a solid attempt looks like?
I got in contact with UMSL’s IT Services in hopes of discussing a few of these questions and concerns but have yet to receive any. In the meantime, here are some tips provided by UMSL’s IT Services that students and staff should use to work their phishing discernment muscles.
The most important things to remember (especially in the case of a red banner warning) are: 1) verifying the identity of the sender and 2) verifying the accuracy of the information sent. You should try to get in direct contact with whomever the potential phisher is impersonating, by using the UMSL website or directory, to verify the message. Also, remember to report the email to IT Services directly. You do this by opening the email you were sent, selecting the “more actions” button in the upper right corner of the message (put your mouse over the ellipsis), and select “Report Phishing.” You can also forward the message directly to abuse@umsl.edu.
If I had not been paying such close attention, my hesitation would have led to this phishing attempt being successful. These attempts seem like an inevitable experience for anyone with a digital footprint, which likely makes students of this era a good target. I think that we should all be vigilant and practice our critical thinking in these circumstances, but I must wonder what preventative measures should be explored so that they happen less frequently and put us all at lower risk. It is upsetting to think about the threat of personal information theft as simply a consequence we must live with and continuously protect ourselves against.