A second “phishing” scam hit Boston University March 20, this time targeting the physics department, but Office of Information Technology officials said students and faculty are now outsmarting scam messages.
“Phishers” — people who scam others through email — sent several messages posing as officials from the university requesting personal information, said IT Consulting Services Director Jim Stone.
The most recent phishing incident at BU happened Jan. 31, The Daily Free Press reported.
Stone said phishers target universities because once an unsuspecting person responds with his login name and Kerberos password, the scammers can use that email address to send more spam mail.
“There have been some cases where, unfortunately, somebody did send a Kerberos password, and we usually immediately see large amounts of email,” Stone said. “We know that the average student, faculty or staff member doesn’t send that much email in one day, and then we can stop the scammers.”
BU has measures in place to prevent spam messages from flooding email inboxes, physics department computer resources manager Guoan Hu said. The BU spam blocker detects scam messages but does not always pick them up.
“Most of the spam messages will be tagged as spam, but this one escaped the software,” he said. “It’s not being tagged as spam and is going through.”
He said the scam email may have gotten through the blocker because it looked like an email from the university, which means a similar incident could occur at any time.
Hu said he sent an email alerting students and faculty about the hoax soon after it was spotted, reminding them not to respond.
“We don’t know where and when and what the message will look like, so obviously that makes it hard,” he said.
William Skocpol, a physics professor who received the email, said Internet safety is a major concern and everyone at BU should learn to be responsible.
“No student should matriculate, let alone graduate, without having learned the collective responsibility that we all share,” he said. “Similarly, faculty and staff also need regular reminders, just like we have to take laboratory safety courses over and over again.”
Skocpol said the phishing scammer was most likely unaffiliated with BU, because the consequences could be severe if the message’s sender was internal.
“BU persons, if discovered, would be subject to swift justice, including expulsion or termination,” he said. “Nor would a BU person have the infrastructure to systematically profit from information obtained.”
IT is working to trace the spam emails using university email tracking measures, with one phishing source appearing to come from the United Kingdom, Stone said.
“I wouldn’t say it’s foolproof, and you know it’s not because they do get some number [of spam emails] into BU,” he said. “But we look for them, and we react very quickly and try to stop them.”
Stone said the easiest way to stop these scams from happening is not to respond.
“The most important message to the community at BU is that we don’t ask for passwords, PINs, social security numbers, anything that’s of a confidential nature through an email,” Stone said. “Over email, we want people to be suspicious and skeptical about what they send out.”