Since the beginning of the term, students have reported receiving job offers via phishing emails to their Dartmouth accounts. These emails are sent with the draw of high pay and flexible working hours, but they solicit students’ addresses, full names and phone numbers. The sensitive data obtained could potentially lead to identity theft and financial loss.
Phishing emails happen every year and target new students, according to interim senior director of information security Sean McNamara.
“The bad guys, the folks from the outside — they know there are new people coming to campus who may not have as much experience seeing and dealing with these sorts of messages,” McNamara said.
Because email directories are public information, anyone can gather lists of Dartmouth students’ email addresses. To target more students, phishing emails are often sent simultaneously to all Dartmouth community members with the same first name.
Dartmouth’s new Duo two-factor authentication process — officially implemented over the last few months to secure access to College-related accounts — does not directly prevent the phishing emails. However, because students are required to verify their identity on a separate device, external parties cannot gain access to accounts for which they know the password.
“Because your machine is the one that’s authenticated, if the hacker uses a different machine for Duo, it’s still going to flash,” said chief information officer Mitchel Davis. “And their phone’s not approved — only yours is.”
Phishing emails themselves are relatively harmless unless students reply with personal information; if they share any information, hackers may obtain other forms of communication or sensitive data. McNamara said he warns specifically against providing a cell phone number, as phones generally have less protection than emails.
“As soon as you give them a phone number, they’re going to switch to text,” McNamara noted. “They want to get out of band with you. At that point, there’s no spam or phishing protection on your phone with text messages.”
Since these emails are disguised as lucrative job opportunities, students may feel a sense of urgency to be the first to respond. They can also be sent out to coincide real events on campus in an attempt to appear legitimate.
“We’re more likely than not dealing with organized crime who have capable people constructing these campaigns,” he said. “There’s certainly some planning and thought that goes into these messages.”
Some phishing emails sent to students include attachments, which are especially dangerous because they may bypass the automated security measures that scan messages. These attachments could include malware or ransomware intended to infect and encrypt the computer.
The Information, Technology and Consulting department is currently working on adjusting its threshold for what type of emails students receive, according to McNamara. It is a delicate balance, as blocking emails sent from faculty or other Dartmouth community members is often more harmful than the consequences of phishing emails.
“Really, it’s a matter of looking at data: seeing the number of false positives you’re getting, the number of accurate classifications you’re getting and then making very small adjustments and seeing if that has a positive effect without upsetting people,” McNamara said.
The challenge in developing ways to combat phishing emails is continuous. McNamara added that as soon as tools are introduced to protect students’ email addresses, the hackers are able to develop more sophisticated phishing emails to elude the new measures.
These scams seem insignificant in terms of financial gain, yet cyber crimes regularly rake in billions annually, according to the Center for Strategic and International Studies’ website. Because phishing emails are sent en masse at very low costs, hackers only need a fraction of people to respond to their emails in order to profit.
“These people are making tons of money — they have tons of resources to throw at this problem,” Davis said. “There’s not as much money to fight it as to exploit it. To fight it, you have to block thousands of points of access; to exploit it, you only need to find one.”
However, McNamara emphasized that the best way to protect students from phishing attacks is through spreading awareness. Miles Harris ’23 said he is already vigilant in these efforts.
“Sometimes I’ll post [a screenshot] in the ’23s GroupMe, or generally other people will be showing their friends like, ‘Hey, look at this dumb email I got,’” Harris said.
The ITC department is also collaborating with the DALI Lab to develop measures that would raise awareness about phishing emails. McNamara explained their project as a “phishing tournament,” in which students would receive prizes for reporting the scam emails. With this reward structure, he hopes to motivate students to spread the word about phishing. The project intends to launch in mid-2020.
