Dana De La Cruz
In a recent wave of phishing attacks, some UCSB students found their U-Mail accounts susceptible to spam emails and scams.
Chief Information Security Officer at UCSB Sam Horowitz described phishing as a “social engineering attack via email” that attempts to obtain sensitive information from victims. The objectives of these hackers include identity theft and financial fraud.
Most of these emails are poorly written, with bad grammar or unusual word choices, Horowitz said. Some can be “highly realistic” and “custom tailored to the victim,” Horowitz warned. The U-Mail website describes these as “spear phishing” campaigns.
Sarah Padilla, a fourth year sociology major, fell victim to one such spear phishing campaign. Padilla received an email to her U-Mail account last month that linked her to an “important message” from the school. The link led to a blank page. She reopened the link several times on her phone and desktop, but it still yielded an empty window. At this point, Padilla said she knew “something was up.”
Later that night, Padilla realized her U-Mail account was used to send out several hundred emails to other students about a fake job offer. The emails claimed that Padilla had an uncle who was in search of a dogsitter.
“It definitely felt like Google Translate,” Padilla said about one of the emails. “I don’t know how I would’ve responded if I were on the other side and got that email … That’s not really the outlet I would take a job from.”
Still, some students replied to the email which went “back-and-forth” with the scammer, who asked for private information such as addresses and personal emails. Padilla’s inbox was full of emails and responses.
After calling the U-Mail help desk, Padilla recovered her account. She also made a post on the UCSB Free & For Sale Facebook group warning others not to fall for phishing scams.
Padilla said that UCSB’s U-Mail platform should feature a “sorting system” that would differentiate official school emails from phishing scams like the initial scam email Padilla received.
“When I go to my U-Mail, I’m mostly looking for things from the school — from Student Health to professors to things happening on campus,” Padilla said. Phishing scams that appear to be from the school can be especially dangerous to UCSB students.
Phishing campaigns have raised questions over the security of the Microsoft Office 365 platform that UCSB uses. However, Horowitz said that all email platforms are vulnerable to such attacks.
“To a phisherman, a mailbox is just a mailbox,” Horowitz explained. “It’s who owns the mailbox that makes all the difference.”