Get the latest Syracuse news delivered right to your inbox.
Subscribe to our newsletter here.

Syracuse University’s Information Technology Services has seen “high volumes” of phishing activity in recent weeks, according to a Jan. 17 campus-wide email.

Phishing emails are a form of online scam in which a phisher will try to “trick” users into revealing their password or other sensitive information to infect computers with malware, the ITS Phish Bowl website states. The phishers will utilize companies’ or institutions’ logos, fonts and colors to make their emails look more realistic, according to the website.

Anika Sahityani, a senior dual major in finance and information management and technology, said she has noticed the most phishing emails this year.

“I get them a lot,” she said.

ITS has reported three phishing emails on the ITS Phish Bowl website throughout January 2024. The last report of phishing emails before January was from August 2023.

Joon Park, a professor with a focus in cybersecurity in SU’s School of Information Studies, said he discusses phishing email attacks in his classes. In one of his classes, he conducted a survey with his students regarding the frequency at which they receive phishing emails.

Park said advancements in artificial intelligence have contributed to an increase in phishing emails.

“We can easily generate phishing emails with generative AI, which can make phishing emails sound more realistic and more attractive,” Park said.

There are two typical forms of attack when it comes to phishing: malicious email attachments and URL links, Park said.

Users can fall victim to malicious email attachments when a file is opened, while malicious URL links can affect users when the email convinces the potential victim to click the link, Park said.

Erin Makarova, a senior in the iSchool and the vice president of SU’s Information Security Club, said phishing emails are not just a technology issue, but a social one too.

“Email is more personal (than the internet). You trust it more, usually, so you’re more prone to click on it,” Makarova said. “It’s a big social thing.”

Makarova said that the most dangerous part of phishing emails is its effect on the recipient.

“It’s a good practice to not run as your admin account, your daily business and to kind of separate your passwords and change them,” Makarova said.

Cindy Zhang | Digital Design Director

Phishing attacks, in all forms, remain one of the top threats for all organizations, including SU, according to a statement to The Daily Orange from Eric Ferguson, director of communications at ITS.

In 2020, a successful phishing attempt gave someone unauthorized access to a university employee’s email account, allowing the attacker to access thousands of students’ sensitive information, including social security numbers and credit card information. The data breach affected over 9,800 students, applicants and alumni, who now may be entitled to up to $10,000 for “extraordinary losses” following the settlement of a class action lawsuit.

In the settlement, SU agreed to integrate “meaningful information security improvements” and provide “sufficient documentation” that proves it has either implemented or will implement security-related measures, according to the memorandum. The university previously told The D.O. it does not share the specifics of protection methods in order to prevent bad actors from using the knowledge to “propagate system-level and social engineering attacks.”

“The level of sophistication runs a broad spectrum from poorly written email blasts reaching large populations of students, faculty and staff to highly sophisticated targeted social engineering attacks against select individuals,” Ferguson said.

Through her enterprise risk management class with Professor James Enwright, Sahityani said she learned various ways to prevent phishing. She recommended securing backups, using security software, practicing safe surfing, only using secure networks and implementing a security awareness program.

Sukhleen Atwal, director of internal operations for SU’s Student Association and student consultant for ITS, delivered a presentation on phishing during SA’s Dec. 4 meeting. She gave tips about how to prevent phishing and outlined a course of action for phishing victims.

Atwal also warned assemblymembers about the potential dangers of falling for one of these schemes, telling them phishing schemes do not only have the potential to impact the individual but can compromise “entire departments” on campus.

“I promise you it has been at a much higher rate over the past month or so,” Atwal said during the meeting. “Almost every third student has been phished and has fallen for it.”

Ferguson wrote in his statement that if students feel their University account has been compromised, they can contact the ITS Security Center and ITS will walk them through securing their account and will contact the Information Security Office to look for any evidence of compromise.

Published on February 1, 2024 at 1:06 am

Contact Claire: [email protected]