Email Phishing Nets Lake Forest Student Email Accounts

By Emma Overton ‘22

News Editor

It is doubtful that when M. Sean Riedel took his new position as Chief Information Officer at Lake Forest College this past July—after having served as vice president of operations for Ingeniux Corporation, a leading web content management and delivery company, and before that as associate vice president for Knox College—he could have only imagined that technologically savvy college students could get caught in phishing scams preying on their College email accounts. However, that is exactly what happened to College email accounts beginning on Sunday, October 14.

In the following online Q & A with Stentor News Editor Emma Overton, Riedel provided answers to phishing and other online security questions for the entire campus community. Questions and answers have been edited for length and clarity.

Q: Can you give examples of the phishing emails Lake Forest students have received over the past couple of weeks?

A: On October 14, many Lake Forest College members received a message with the subject line of “Important Messages from the LFC College Finance Office:” prompting the recipient to click on a link to read important messages from the LFC Financial Aid Office. Another phishing message was sent to students from a compromised account on October 15 that offered to pay a student $350 per week to babysit an alumni’s child. Two more phishing attempts occurred on October 19, with one asking for students to apply to be pet sitters and one asking for house cleaning assistance. Then, on October 22, a phishing attempt invited college students to apply for a job opening through a link to a form that asked the students to submit contact information.

Q: What was the response from you and the IT Help Desk staff to these phishing attempts?

A: In every instance, the entire campus community was notified with the following information: “If you receive this message, please delete it and do not respond to the email link. If you have responded, please reset your password right away and let the Help Desk know so we can be sure your email account was not compromised.”

Q: How are phishers able to compromise Lake Forest College email accounts?

A: College accounts that have been compromised recently were the result of one of the following methods of enticing the account holder to give his or her username and password directly to the phisher:

1. Creating a simple password that may be easily guessed.
2. Sharing your password with others intentionally or unintentionally. Giving your password to someone else or writing it down and leaving it somewhere that it can be found allows someone else to make decisions about how and where your password is used.
3. Using the same password for multiple accounts. If a login to one of those accounts gets compromised, the phishers can gain access to every account sharing that password.
4. Sending your password via email or entering it into a fake site. Phishers either directly request your login credentials (or other personal information) or link to a Web page where you are asked to login with your College username and password.
5. Not looking carefully at the actual email address of messages that direct you to a website to login. If a message comes from an external email address, there is no reason to enter your College credentials. If a message comes from a compromised Lake Forest address, it would be clear that the sender does not actually have the appropriate role to direct you to a page to login.

Q: What can students do to prevent their accounts from being compromised?

A: There are a few easy steps students can take to protect their accounts.

1. Create a complex password that contains a combination of upper and lower case letters, numbers, and special characters and change passwords on a regular basis.
2. Use different password for different accounts, (e.g., email, bank, Instagram, Snapchat, etc.).
3. Enroll in the self-service password service that allows for the remote resetting of passwords at www.lakeforest.edu/password.
4. Never share your passwords—whether that be by writing them down and leaving it in a findable place or by sending them via email.
5. Be vigilant when reading and responding to email. Verify that the name and email address actually match. If the address looks legitimate, read to see if what the sender is asking or directing seems reasonable for that individual, (i.e., a fellow student sending an email about registering to keep your account active is clearly not a legitimate message).
6. Do not volunteer any personal or contact information to a third party referenced in an email, (e.g., someone’s friend looking for dog sitter), until you know they are legitimate.
7. Avoid reacting to pressure tactics. Some phishing campaigns will send false messages about your account or computer being compromised, and advise you to take certain actions to undo the damage.
8. When in doubt, forward a copy of a suspicious message to the Help Desk at ithelp@lakeforest.edu, and they will investigate to see if it is authentic.
9. What other safety measures do you recommend students take to protect themselves when using technology?
10. Know that no official Lake Forest College office or staff member will ever ask for your email username and password via email.
11. Be cautious when logging in to password-protected sites with your credentials, regardless of whether it is a College site or one of your other accounts.
12. Avoid logging in to your private accounts on any public WiFi connection, since the traffic can be easily sniffed.
13. Assume that if a non-commercial network is open and doesn’t require a password, you do not want to be on it.
14. If you are in a hotel or café with public tablets or workstations, you have no way of knowing what protection is in place to keep someone from installing some kind of software to collect information or monitor your keystrokes.
15. In the event you need to login to an account on a shared public device, either use a temporary authentication key or a two-factor authentication where a one-time validation code is sent to your phone.

Q: Given your expertise in the area of digital security, what is your best advice for those of us who take our electronic security for granted?

1. Your personally identifiable information is sought after by a wide array of groups ranging from marketers to those with malicious intent. It is important for each of us to take care in protecting our identity. When so much of our interaction and business is transacted digitally, it is easy to become complacent and careless about information security. It only takes access through one account to get linking information like your mother’s maiden name or the hospital you were born in for a profile to be built to assume your identity. It also opens the door for your digital identity to be used against friends, groups you are a member of, and even businesses you work with as phishers leverage compromised accounts to gain access to more accounts. Being a savvy digital citizen takes work, and it needs to be part of what we practice every day, much like how we should take care of ourselves physically.

Emma Overton can be reached at overtoneg@mx.lakeforest.edu.