by SHAWN FLEETWOOD
What started out as a typical day for junior Jess Kirby soon devolved into a moment of worry. Upon checking her phone, the communication and digital studies and sociology double major noticed that, in addition to her daily COVID survey, there was a strange email sitting in her inbox.
“I saw this email that said, ‘emergency, your account has been locked,’” she said. “So, I clicked on the link that they had provided, and it said to enter your email and password.”
After soon realizing that the email was a scam, Kirby quickly exited out of the webpage without entering any personal information. Not long after, she received an email from the university’s Information Technologies (IT) department that warned students to be wary of phishing emails being sent to students.
“They sent an email telling us that there’s a phishing scam going around and to not click on it and, if you do click on it, email this person,” she said. “I did and they just said ‘okay, just change your password.’ So, I did, and everything was fine.”
The issue of phishing emails being sent to students is not a new or recent problem. For years, scammers have been attempting to get UMW students to forfeit personal and financial information. According to Mike Townes, the director of Information Technology and Security, roughly 30 percent of all students fall victim to these various scams, with the number of reported cases increasing year after year.
“They see college students as an easy target for these types of scams,” he said.” The increase in phishing emails has been constantly going up every year.”
Townes also notes that scammers largely target students’ financial vulnerabilities by incorporating part-time job offers as a core component of their messaging style.
“We see a really big uptick when students are looking for part-time jobs,” he said. “[Students] get flooded with a lot of that and a lot of students end up falling for it. Basically, when they go to contact a so-called ‘potential employer,’ they come to find out that these guys are asking for some personal information. And that’s how they really get you.”
The continuing sophistication of phishing emails, however, has remained a challenge. According to Townes, scammers have gotten skillful in crafting believable emails.
“Scammers are really good at taking the school logo information and building it into their email contact so that it looks like it’s coming from the university,” he said. “Sometimes it’s kind of hard to identify. When we do see those types of emails, we will read the content and see some of the grammatical errors they have in the email.”
While IT routinely sends out warning emails to students about circulating phishing scams, the only form of cyber training offered to students by the university is a technology security overview presented at orientation.
“One of the very first items we talk about with incoming students is email,” said Britni Greenleaf, the coordinator of New Student Programs at UMW. “When students get their email, IT provides them with information about phishing/warnings/tips.” University faculty, on the other hand, undergo security awareness training at the beginning of every school year as required by Virginia state law.
However, there have been ongoing discussions among UMW administration members about potentially incorporating some type of official cyber training program for students.
“Online security training for students, like what faculty and staff are required to complete annually, has been discussed, but is not yet available to students,” said Hall Cheshire, the university’s chief information officer. “Some of the factors considered include whether the training would be optional or required, if optional, how many students would take the time to complete the training, if required, what the consequences would be for non-compliance, how often should students take the training and the cost of the training.”
Cheshire estimates that the implementation of such a program would cost the university upwards of $12,000 a year.
Virginia universities that have implemented varying forms of cyber security training and for students have seen great success, with very few reported cases of students falling victim to phishing scams.
“We have an annual IT security training that all students, staff and faculty take online, and we also regularly provide reminders via social media and our website,” said Alex Henson, the chief information officer at Virginia Commonwealth University (VCU). “We believe our awareness and training efforts have had positive results. For the past five years we’ve seen a very low number of compromised accounts and successful attempts to defraud our community members.”
Virginia Tech (VT), where students partake in a cybersecurity module as part of orientation similar to UMW’s, has seen comparable results to that VCU. “My guess is that [the percentage of students who fall victim to phishing scams] is less than 0.1% of the students,” said Scott Midkiff, the vice president for Information Technology and chief information officer at VT. “This is assuming that, of the students who fall for a scam, only a few formally report it to our IT Security Office.”
However, the efficacy of security awareness training still remains up in the air. According to a 2019 study published by the National Center for Biotechnology Information, there was “insignificant improvement in reducing phishing susceptibility by incorporating classroom training.” In addition to instructor-led classroom training, a multiple approach videogame and a text-based training package were also integrated into the instruction sessions.
Meanwhile, a 2020 study conducted by KnowBe4, a security awareness training platform, found that after 12 months of continuous testing and security awareness training, susceptibility to phishing scams decreased dramatically.
Whether UMW ultimately decides to implement such training for students remains to be seen. However, many UMW students seem to already be picking up on how scammers operate, as well as being able to identify scams when they see them.
“I became aware of phishing tactics just by seeing how many of these scams have poor grammar and spelling,” said senior and business major Brendan Mayer. “Many of them are also really informal, with no proper emails or links to socials, so I’ve gotten really good at identifying them.”