On campus

ITS anti-phishing security cannot stop every threat

Daily Orange File Photo

All emails sent to SU faculty, staff and students go through ITS’ spam email and anti-phishing security system before reaching the recipient.

Syracuse University’s Information and Technology Services is unable to detect all threatening and targeted emails through its security system, ITS security officials said.

Christopher Croad, chief information security officer at ITS, said about 1 million emails are sent to SU email addresses on a daily basis. An estimated 50,000 emails on average are potential phishing or spam emails.

All emails sent to SU faculty, staff and students go through ITS’ spam email and anti-phishing security system before reaching the recipient. The system’s rules are manually drafted based on patterns of prior harmful emails.

Threatening emails cannot be prevented through ITS if the department has not discovered a similar email previously, said Richard Ameele, manager of ITS core infrastructure services.

“It’s not dynamic,” Ameele said. “It doesn’t learn on its own. The rules are written by people and they’re pushed to us once per day. If we don’t customize something based on feedback from the community, the filter doesn’t learn anything.”



SU professor Genevieve García de Müeller received a threatening anti-Semitic email in November that referenced the Holocaust. She reportedly received another “racist threatening email” on Dec. 20. The Syracuse Police Department is investigating both incidents.

A targeted email such as the one sent to García de Müeller went through the ITS system and was likely undetected, Ameele said.

Croad did not see a rise in threatening emails during or after racist, anti-Semitic and bias-related incidents that occurred at and near SU last semester, he said. ITS removes a majority of suspicious emails before they reach the campus community, he said.

“I don’t recall seeing any attacks related to those incidents,” Croad said. “They could have happened and maybe we weren’t made aware of them. People, especially faculty and staff, are pretty good about notifying us when they see things.”

Ameele said he was asked to add security rules blocking emails that contain certain subject matter during the string of hate crimes at SU. The majority of emails since have been the usual phishing attempts and spam emails, he said.

Students still receive spam emails in their SU email accounts because ITS may not have written system rules targeting those emails yet. Students should report harmful emails to ITS so the department can investigate and prevent the messages from spreading, Ameele said.

While ITS looks at harmful emails for dangerous content, Croad said ITS staff do not monitor and read student or faculty emails.

ITS subscribes to a threat intelligence feed, a third party source that informs staff of internet security hazards and bad IP addresses several times a day. ITS uses this information to track if the same threats enter SU’s online systems.

People create phishing emails because there’s financial value in gaining access to users’ email account information, Croad said. Once account information is obtained, other personal information becomes accessible, he said.

Croad and Ameele said students should look at an email’s sender before opening the message. If students are unsure if an email is legitimate, they should hover over links before clicking them to see where they actually lead.

Since implementing multi-factor identification in April 2019, ITS saw a sharp decrease in compromised SU email accounts, Croad said. Multi-factor identification allows users access to a computer’s contents after their log-in is verified through multiple means.





Top Stories