EU Goes Phishing

In the past year, Elmhurst University has seen an influx of “phishing” scam emails to student and staff inboxes. Many of the emails come from students and staff with compromised accounts — meaning it is particularly easy for EU attendees to fall victim to the scam.

Phishing scams, where an email or text message sent from a scammer pretends to be a peer or figure of authority, typically to steal information, are not exclusive to EU. The recent specific style of emails EU inboxes have received have plagued other colleges and universities across the country as well. Reports from the University of Virginia, Harvard University, and Penn State University show similar attempts to steal student and staff information.

Kurt Ashley, Vice President for Operations and Technology on campus, heads Facilities Management, Information Services (IS), and Marketing and Communications. As the head of IS, he is well aware of the issue and shared some insight on what is happening.

Ashley believes the email protection settings set by EU “do a great job of blocking phishing attempts when they are sent from someone outside Elmhurst University.” He also notes that emails from non-University email addresses have a banner reminding students and staff to be careful of scams.

What makes recent emails dangerous is that they come from student and staff email addresses. This means they don’t have the external email address banner reminding students to be vigilant, and according to Ashley, “[students] inherently trust that [the email] is legitimate because it is coming from a supposedly known entity.”

In late 2023, IS began requiring students to use Microsoft Authenticator two-factor authentication. This meant students would be required to enter a one-time, secret code generated when they attempted to log into their Elmhurst University Microsoft 365 account on a new device. Students also began being required to re-log into their Microsoft 365 accounts once every 30 days on their devices.

Ashley says, “This has been effective until recently when we again started to see some student accounts being compromised.”

Whenever a student or staff account is compromised and seen sending one of these phishing emails, IS interviews the account owner to understand what specifically happened.

According to Ashley, “In every recent case, the student has received a text message that claims to be from Information Services and asks them to enter a two-digit code into the Microsoft Authenticator app and sometimes, for the user to provide the attacker with the six-digit one-time password code found in the Microsoft Authenticator app.”

This exposes what Ashley sees as potentially the weakest link in cybersecurity. Ashley noted “if a user shares their password and/or multifactor authentication tokens with someone, that will bypass all of these protections,” and “some of the onus does need to be on the end users to ensure all of the safeguards we have put in place remain effective.”

The recent phishing emails are a high priority for IS. Ashley says “[IS tries] to do all we can behind the scenes to mitigate this problem, but a true solution requires participation from everyone to keep us all secure.”