Phishing emails plague inboxes, promising glamorous things to make an attempt at your private information. Chico State students are often the target of phishing campaigns, being forced to distinguish between safe and dangerous emails.
Phishing emails are one of the most common forms of cybercrime, Director of the Information Security and Identity Management Chris Witthans said. The bait is typically job offers with a large compensation or urgent messages asking receivers to secure their accounts.
A phisher-man’s primary motive is financial, Witthans said. Attackers target your email, student ID, password, phone number and more private information.
With that information, attackers can mess with students’ financial aid information, settings and wreak havoc on student and staff accounts.
All of this information can potentially be devastating when in the wrong hands, especially for those that use the same password for critical services like their banking or email accounts.
But phisher-men need to go toe-to- toe with IT Support Services and Information Security and Identity Management, ISEC.
At Chico State ISEC and ITSS work closely to monitor the inboxes of all university email accounts and react quickly when a phishing email is spotted.
In the last 90 days over 6,271 unique emails have been reported using the phish button, Witthans said. He also estimated — with agreement from ITSS Director Amandeep Grewal — that around 30 to 50 accounts are compromised each month.
This is a fact that Zion Fozo, a junior majoring in political science, knows all too well. In Fozo’s first semester, she received a phishing email.
“I almost fell for it because, you know, it’s a scary email to receive … I assumed it was true,” Fozo said.
It wasn’t until one of Fozo’s friends pointed out it was a phishing email that she stopped herself from putting her private information into the form.
Students impacted may be spammed with many Duo requests and flustered students may accidentally hit accept, Witthans said.
Compromised student email accounts are often used to try and deceive others. Witthans said. Sometimes their information is sold online.
But there are ways to identify phishing emails. For example, many emails will contain these errors:
- Grammar
- Spelling
- Salutation
- Wrong university division names
Students may feel ashamed once they have successfully been phished, said Jatinder Sandhu, the manager of communications and partnership development for ITSS, but attackers are targeting specific people and using social engineering to come after their private information.
‘’They work to create a safe space and want to leave no room for shame,’’ Witthans said.
They work to create safe spaces by sending emails, phishing training simulations and assigning long training videos to every student, faculty and staff.
They’re also aware people don’t read their emails. That is why they started the Festival of the Phishes, which held its first event in the rain last year with over 1,000 people attending.
The Festival of the Phishes was a way to engage students to participate in learning about cyber security in a fun and digestible way. They hosted themed games, such as “Slam the Spam,” to help educate students on how to stay safe.
The Festival of the Fishes will return this year, hopefully in clear, sunny weather on Oct. 1.
It’s all about security awareness, Witthans clarified. He explained how successful the training has been. They have had more students reporting phishing attempts after training.
However, new students unfamiliar with the university’s safety guidelines often lead to more compromised accounts.
The university requires every new student, faculty and staff member to undergo cyber security training and regular reminders go out when a large phishing campaign is detected. In the reminders sent out are important information regarding how to stay safe and spot phishing emails.
And these threats shouldn’t be taken lightly. In California, victims were scammed out of more than $14.6 million in 2022 alone, the FBI’s annual crime report states.
AAG, a cyber security company, states over 3.4 billion phishing emails are sent every day with millennials and Gen Z being the most targeted groups.
As a resident advisor, Fozo explained she receives messages from her residents asking if certain emails are “legit.” With help from the training, she can help prevent her residents from putting their information into those forms.
Fozo commonly refers residents to ITSS telling them if they are ever in doubt call ITSS.
An attacker with access to someone’s email can now attempt to trick others using their email. Many attackers will change email settings to hide from being detected, Witthans said.
Grewal wanted to press the importance of students reaching out to ITSS if they are ever skeptical about an email.
Students can see the phish button on their Outlook accounts at the top right corner. If the phish button isn’t appearing, they can follow these steps from ITSS to help add the phish button.
Chris Hutton can be reached at [email protected].