Elaborate phishing scams increasingly target universities

Penn State University's main campus. (Lindsay Lazarski/WHYY)

Penn State University's main campus. (Lindsay Lazarski/WHYY)

In the past few months, someone at the University of Pittsburgh got an email, seemingly from his superior, asking for $1,000 in Amazon gift cards right away.

He bought the gift cards, then realized it was a type of email scam known as phishing.

More and more scammers are conducting cyber attacks like this because it “involves human decisions,” according to Microsoft’s latest security intelligence report for 2018. The FBI’s internet crime report for 2018 noted that there were more than 26,000 victims of phishing for that year, with a combined loss of more than $48 million.

This sort of thing occurs so often now that the University of Pittsburgh’s computing services department designs its own phishing emails so people learn to be on the lookout — kind of like an email fire drill.

“Depending upon our campaign, we make them from ‘fairly easy to identify’ all the way to ‘man, I would fall for that one myself,’” said Joel Garmon, the chief information security officer at the university.

A sophisticated email scammer might pose as the university chancellor and ask the finance department for money. For those high-profile targets, Garmon said, his department runs specially designed fake phishing campaigns twice a year. Everyone else gets less-intricate fake phishing emails once a month.

The University of Pennsylvania is going to start doing this as well, said Nick Falcone, the information security officer there.  

Sometimes, hackers just want a couple of gift cards. And sometimes, they score big.

A few years ago, Chinese hackers went after Penn State’s College of Engineering with an elaborate scam that started with a phishing campaign.

Earlier this year, the Wall Street Journal reported that Penn State, which has research ties to the Navy, was among more than 20 colleges targeted by Chinese hackers in a phishing campaign. A Penn State representative neither confirmed nor denied the details in the report, saying only that the university is “very aware of the real and persistent threat from both state and nonstate actors.”

Two years ago, MacEwan University in Canada lost millions of dollars after a phishing scam tricked staff members into changing their banking information.

It took months to get most of the money back.

Want a digest of WHYY’s programs, events & stories? Sign up for our weekly newsletter.

It will take 126,000 members this year for great news and programs to thrive. Help us get to 100% of the goal.