Don't Take the Bait: Defending Institutional Data From Phishing

*Excerpt from https://www.edurisksolutions.org

Between 2012 and June 2017, educational institutions publicly disclosed more than 200 data breaches. Nearly half of these incidents were the result of hacking, malware, or phishing. Phishing is a type of email attack in which a scammer attempts to obtain confidential information for malicious reasons by posing as a trustworthy entity. This is typically achieved by sending email messages with a forged sender address—a practice known as spoofing.

While educational institutions are common targets for phishing attacks, there are steps you can take to minimize the risk that the attack will be successful, reducing the likelihood of litigation.

Two recent claims highlight the risks associated with phishing-related data releases.

  • An HR administrator received what she thought was a legitimate email from the university’s president, requesting the W-2 form of every employee. W-2 forms contain confidential personal information, including an employee’s name, mailing address, income, and Social Security number. The email header displayed the president’s name, although the actual sender’s email address was a few characters off. Unfortunately, the administrator sent unencrypted PDF files containing the W-2s of more than 1,300 current and former employees.
  • An HR administrator at another institution responded to a similar email, compromising the sensitive information of approximately 3,000 employees.

Both of these successful phishing attacks resulted in numerous instances of identity theft, including fraudulent tax return filings, attempts to open credit card accounts, and an alleged attempt to open a mortgage in an employee’s name.

Do your part to protect your personal data and the University from theft and authorized access. 

 Never send information — yours or the University’s — to unknown or unverified people.

 Avoid re-using passwords for multiple sites and accounts.

​ Check the return address of people that send you emails. Make sure they’re legitimate.

 If you receive a request for sensitive information, money, gift cards, or other purchases, think twice and call once! Call that person at a known number and validate that the request is real.

 Enroll in Duo and other methods of two-factor authentication wherever they’re available. 

 Enroll in LastPass offered by Georgetown.