ITSS phishing out scam emails


Scott Kodai working in his ITSS office. Photo credit: Elizabeth Helmer

On Feb. 19, 277 Blackboard accounts, student center accounts and Wildcat emails could no longer be accessed. The accounts were shut down on that late Friday afternoon leaving students stranded for help restoring their online academic lives until the next week.

The following Monday, the IT Support Services’ lobby was flooded with students. At times, the line went out the door and students waited for over an hour to get assistance. ITSS staffers scrambled to help everyone who came in, but since each student required almost 15 minutes of help time, the flood of students didn’t let up.

All 277 students were victims of the email phishing scams that found their way into almost every Chico State student’s Wildcat Mail. They bypass the spam filter by using what looks like real Chico State email accounts, claiming the student needed to validate their account (or something else that asks for the student’s username and password) with a link that usually reads “click here.”

About 10 percent of students have clicked that link and entered their username and password this year, falling victim to the hackers. Scott Kodai, manager of IT Support Services on campus, explained why hackers are targeting student emails.

Scott Kodai, manager of IT Support Services. Photo credit: Elizabeth Helmer


“They can see your home address, they can see your Social Security number, they can see your financial information, they can see your parents’ information. There’s a lot of stuff if you go into your student center and start clicking around. They would be able to do all of that which gives them the tools to literally steal your identity,” Kodai said.

He added that the eventual goal of the scammers is to send emails to accounts outside of Chico State, claiming to be financial institutions so they can get people to login with their bank information.

That’s why in February, Kodai and the rest of ITSS felt they had no choice but to shut down almost 300 accounts, even though it meant limiting hundreds of students’ access to their online portal.

“It’s not like everyone falls for it. It’s just people who are not paying attention, or who aren’t tech savvy or who don’t think that will happen,” Kodai said. “Being suspicious is the best solution.”

Mark Hendricks examines possible scam emails in the Information Security office. Photo credit: Elizabeth Helmer


Mark Hendricks, the director of Information Security, also cites email access on cellphones as a potential reason to why so many students are falling for the phishing scams.

“With mobile devices it’s harder to see the look and feel of a message,” Hendricks said.

The Information Security Office is leading the investigation into the phishing scams, as well as creating ways to prevent more students from compromising their accounts. However, there is no magic button ITSS or Information Security can push to make phishing scams go away. They’ve spent hundreds of hours investigating the situation and collaborated with Google to upgrade Wildcat Mail to the best security settings. “We’ve done as much as we can short of turning (Wildcat email) off,” Hendricks said.

ITSS and Information Security have turned to awareness campaigns. The main point that ITSS wants students to know is that Chico State will never ask for your password through an email. They’ve already displayed posters around campus, sent emails to students and displayed a message on everyone’s Blackboard home page. For the future, they’re looking into adding phishing awareness to first-year orientation.

Janelle Bettencourt, sophomore mechatronic engineering major. Photo credit: Elizabeth Helmer

Janelle Bettencourt, sophomore mechatronic engineering student, says she noticed the emails were scams right away.

“They all had the same outline, they didn’t have a proper signature and they were trying to get information from me,” Bettencourt said.

Bettencourt, who works as a desk attendant at the resident halls, noticed that first-year students were more susceptible to the scam.

“A lot of residents were coming up to me and asking me if they actually had to give them information,” Bettencourt said. “Some said they already did it.”

She noticed a difference since the awareness campaign started.

“I think it’s been really helpful. It’s really easy for people to fall for stuff like that, especially freshmen,” she said.

The awareness campaigns seem to be working. ITSS has not dealt with the kind of huge shutdown that happened in February. Accounts are still being shut down every day, and security staffers like Hendricks are still dealing with the scam’s effects.

“It’s going down,” he said, “but it’s not going down fast enough.”

Elizabeth Helmer can be reached at [email protected] or @lizziehelmer on Twitter.