New Challenges in Your Office: Ever Heard of Spear-Phishing? 

Dear Colleagues,

Were you recently the lucky recipient of a somewhat cryptic email from me? The sender line read “Susan R. Wente.” The subject line was empty and the body of the message simply said, “Are you available?”, followed by a signature line with my name and title. The actual sender’s email address was SusanWente680@gmail.com, which is not my account. I was the target of an email impersonation scam. We estimate that the email was sent to at least 230 individuals at Vanderbilt.

These targeted scams, known as “spear-phishing,” are rampant right now. They leverage the trust recipients have with the supposed sender to extract sensitive information. This might include getting access to bank accounts or IT systems. What is worse is that some of these schemes are specifically tailored to academia. For example, as detailed in this Chronicle of Higher Education article, there is a disturbing trend of “phishers” posing as deans and department chairs asking administrators and professors in their units to purchase gift cards.

The Gmail spear-phishing scheme is just one of many in which I have been a victim. Last semester alone, I had to deal with more than ten scams and hacks of varying types!

Universities, like many other large organizations, are attractive targets for cyber-attacks. This is due to the large amount of potentially valuable data in our IT systems and devices – from financial data, personal information, research, and scholarship to intellectual property.

It can be incredibly difficult to be protected from such intrusions. As soon as we develop protocols and best practices, the hackers find new ways around them. The techniques and technologies are constantly changing. Moreover, unlike corporations, universities are inherently more complex because of our IT diversity. We don’t have a “one-size-fits-all” standard that can be applied across the entire community. For example, most staff computers are provided by Vanderbilt, but staff also use personal devices like tablets and phones for their work. Faculty, given the extreme variance in their types of work, determine what devices and systems to use. They may opt into the desktop program supported by VUIT or independently purchase custom products. Students provide their own devices entirely except in some specialized research environments. But, we ALL access Vanderbilt-hosted systems from Brightspace and Oracle to Box and WordPress, and yes, LISTSERV.

So, what can we do to prevent attacks and secure information in such a diverse community of users?

On an individual level, always be sure that the sender’s email is a “vanderbilt.edu” address. And, if you receive a phishing email or are suspicious of an email, please send it directly to phishing@vanderbilt.edu in VUIT for their investigation.

At the institutional level, we have a number of core principles that guide how we think about IT security. For one, we want faculty and students to maintain the ability to choose their devices and technology solutions. We want staff to have high-quality tools, devices, and systems to do their work. We want all to have access to robust and responsive IT support. And, we want to offer the highest level of protection to every individual to minimize their risk as well as the institution’s risk.

My office, along with the schools and colleges, works directly with leaders in VUIT to develop our IT security strategy. For research-related matters, VUIT partners with the Office of the Vice Provost for Research and the Research IT Faculty Advisory Committee. This committee has recently addressed matters regarding compliance with federal regulations on securing grant-related data.

For the security of individual devices, we must continually brainstorm ideas for new best practices and evaluate in real time new security measures and policies. For example, Vanderbilt recently launched VerifyU, a new set of IT security measures designed to increase protection of the campus against these ever-evolving cyber threats. VerifyU includes next-generation anti-virus protection, multi-factor authentication (MFA) (which we’ve all become used to when we try to log on to our bank websites) and advanced back-up solutions. These solutions are being rolled out in stages across campus. CrashPlan, a cloud-based backup solution, is now being used in various administrative units in Academic Affairs. Starting March 18, MFA will become part of the standard process for logging into Vanderbilt’s VPN (virtual private network) which is used for accessing systems like ACCRE (our advanced computing center). MFA is critically important to protect against remote attacks, including email phishing schemes. Even if the attacker obtains a set of login credentials, they become useless if the end system is protected with MFA. The new anti-virus tools should minimize our risks; however, coupling MFA with programs like CrashPlan means that if attacked, you can recover your data in a timely and secure way.

Although I hope that you don’t get any more messages from my impersonator(s), in our technology-driven world we can never be sure. Please be assured that as a university we will work together to continue identifying solutions that enhance the security of all.

Sincerely,

The real Susan R. Wente

OTHER NEWS

VU community celebrates Martin Luther King Jr.’s legacy and impact

Dalton family commits $12.75 million to support Law and Business Program at Vanderbilt Law School

Global micro-grants take faculty to Lima, Tijuana and Edinburgh

Provost establishes working group on second-year residential experience

Faculty invited to professional development offerings this spring

PREVIOUS OPEN DORE ISSUES

In case you missed it …

The Provost’s Ten Highlights for Fall 2018

Vanderbilt’s Innovation Ecosystem

From Inspiration to Action: Advancing the Arts and Humanities at Vanderbilt

Spread the Word: From New Online Gateways to New Funding Programs

Shared Spaces, Shared Values, Shared Initiatives

All past issues