University of Michigan warns against email scams as some direct deposit accounts are compromised
University of Michigan is experiencing a newly sophisticated type of cyber attack: An email scam that attempts to get employees' passwords, gain access to their personal information and redirect their direct deposits.
The school is no stranger to phishing attempts. Employees receive several spear phishing attempts —in which scammers impersonate an institution, in this case U-M, in an effort to get victims to offer up sensitive information— each month. For example U-M has recorded six wide-scale phishing attempts already this month and more than 60 since January.
However, in past scams perpetrators haven't taken advantage of the information gleaned to manipulate an employee's direct deposit account. Attempts are also becoming more convincing.
In recent weeks multiple U-M employees have had their direct deposit accounts changed, although U-M was able to recover all the funds.
"That's an activity that we haven't seen before," said U-M chief security officer Paul Howell. "It wasn't always the case that the information was being used."
The school estimates less than 10 people who fell prey to the phishing attempts had their direct deposit access manipulated. All together, less than 50 people have offered up their personal information or passwords to scammers in recent weeks.
Successful attempts can disclose passwords, which can leave vulnerable an employee's U-M account and all the information held within it, putting them at risk for identity theft. If a victim uses the password for other accounts, those accounts can be breached as well.
"The defenses against these things are very difficult," Howell said.
The phishing attempts range in sophistication and believability. For example, an attempt on August 13 had the subject line "NOTIFICATION !!!," but others have had subject lines like "Letter From University of Michigan" and have signed off saying "The Regents of the University of Michigan."
Some have linked to webpages —on which the perpetrator instructs the victim to enter their password— that don't look at all like a U-M interface, while other webpages have been very convincing.
An email that convinced several U-M employees to offer up personal information is transcribed below:
Date: Tuesday, August 06, 2013 Subject: Letter From University of Michigan
Your account profile will expire today.
Kindly Click Here [LINK REMOVED] to validate.
Sincerely, University of Michigan
All rights reserved. Copyright Â© 2013 University of Michigan
U-M has firewalls and filters in place to detect email scam, but with perpetrators constantly honing their attempts, phishing can be difficult to thwart.
"They're getting more sophisticated," U-M Police Department spokeswoman Diane Brown said of the hackers. "[We] make patches to try to stop them but the perpetrators find another unique way to make it look more legit and it passes through filters."
U-M is trying to educate its workers on how to avoid phishing attempts and differentiate scam emails from legitimate U-M ones. Brown stressed the importance of not using the same password for multiple accounts and regularly checking direct deposit and payroll information.
The school cautions employees to beware of emails that have a sense of urgency and use terms like "validate," "verify" and "update your account." Employees are cautioned to look at URLs included in emails to see if they match the umich.edu platform. Also, when entering a password letters should be hidden after entered. If they're not, that's a sign something could be amiss.
Below is a U-M-produced video on avoiding phishing attempts.