Think Before Clicking That Link

by Kristina Vakhman

While cruising through ones Central Connecticut State University email and a message pops up titled ‘final warning’ in all uppercase letters, one would not hesitate to open and read the content.

Once the user opened the email, a message popped up saying their account was about to be shut down and that they must click the provided link to save it. Once the link was opened, the window asked the user to enter their email account’s username and password. That user then just became a victim of a phishing email.

Over 600 CCSU students fell for phishing emails since April 4. This incident is the biggest one that Amy Kullgren and Sean McNickle of the university’s Information Technology Department said they have seen thus far, beating out last summer’s situation where 400 students were affected.

“They got an email, they clicked on the link in the email and they put in their username and password,” McNickle said of the students. “So, it’s not just clicking on the link and opening up a page. The page actually asks for your username and password, and they entered it.”

“If I can get across one thing from IT’s point of view: we will never, ever, ask for a user’s password. That’s one of the keys. Most legitimate places will never ask you to enter in your password,” said McNickle.

Kullgren agreed, stating that anytime a link asks for an user’s password, it is a big indication to stop and immediately disregard and delete the email. Those who did not know of this red flag and gave the phishers their credentials, she said, should instantly change their password.

“If you change your email password, then the credentials you gave the spammer or phisher are gone,” said Kullgren.

She reminded students not to panic, as the phishing and scam emails are hard to spot if they are not looked out for, and to simply follow IT’s advice to recover their account.

“They’re getting more and more sophisticated. Sometimes they’ve actually had our CCSU logo in them. It looks like it’s coming from somebody that’s part of Central,” said Kullgren. “Unless you’re really reading them critically, it’s easy to fall victim.”

Protecting your account will not only keep you safe, but help IT. Though there are many security systems put into place that filter out third-party threats, compromised CCSU email accounts are more difficult to catch. Phishers use robots to send out thousands of messages through a victim’s account to other students who, seeing a fellow CCSU email, put their trust into the content and fall for the scam as well.

“They [phishers] have a script that goes out and starts sending a different email hundreds or thousands of times,” said McNickle. “Just one person compromised can send off five hundred emails and two more people get compromised and they send out another five hundred. It just goes [on and on]. That’s kind of what happened to us in a very short order.”

IT is working to detect compromised email accounts, as well as to educate students on how to spot and avoid phishing emails. If you receive an email asking you to click a link:

  • Check who the sender is by hovering over the address with your mouse. If it is an email outside of the CCSU network, there is a high chance that it is a phishing attempt.
  • Look out for typos and unusual phrasing; if the email addresses you as ‘Dear Customer,’ it is most likely a scam.
  • If the email is from the CCSU domain, you click on the link, and are asked for your username and password, DO NOT enter them. Delete the email.
  • If you do end up entering your username and password, IMMEDIATELY CHANGE YOUR PASSWORD.
  • NEVER GO BACK TO AN OLD PASSWORD. Returning to the password that has been given to the scammer will only return their access to your account.

For more information on how to protect yourself from phishing and scammers, visit the IT department in Henry Barnard Hall, Room 019, or look for the poster-guides on the walls of every CCSU building.

In addition, IT will be hosting an ice cream social about the topic on Thursday, April 27.

Leave a Reply

Your email address will not be published.