Emails sent from Quinnipiac accounts are generally trustworthy, but that isn’t always the case.
An scam email sent from a Quinnipiac account on Tuesday, Sept. 8 contained a message that said the email account was near capacity. Recipients were instructed to click on a link and enter their username and password–information which scammers can use to access more email accounts or Quinnipiac-related information, like the library databases.
According to Chief Security Information Officer Brian Kelly, this is known as phishing.
Merriam-Webster defines phishing as “a scam by which an e-mail user is duped into revealing personal or confidential information which the scammer can use illicitly.”
Approximately 9,000 copies of the email were sent to Quinnipiac faculty and student accounts.
Though in this case the origin of the phishing email is unknown, Adjunct Professor Barbara Cofrances-Nana was among the first to receive the email. Her email could have been exposed to this scam through another phishing campaign, according to the Information Technology department.
At first, Cofrances-Nana didn’t realize that this email was not an official Quinnipiac email and gave the link her username and password. However, it didn’t take long for her to notice.
“All of a sudden I got email upon email on my email site that was saying the same thing: ‘Quota Warning,’ ‘Quota Warning’ … I knew something was wrong,” Cofrances-Nana said.
As of Thursday, Sept. 10, an estimated 12 accounts have clicked on the link, according to Kelly. But that does not necessarily mean that all 12 accounts gave away personal information.
“Maybe we have a savvy, skeptical user base who, by and large, doesn’t fall for these kinds of things,” Kelly said.
Freshman Olivia Morgan, who received the phishing email, echoed Kelly’s sentiment.
“We kinda know not to click the fishy links cause most people looked at it and saw it wasn’t a real thing,” Morgan said.
Freshman Amanda Allen, who also received the email, noted that students were also informing each other about it through social media.
“On Yik Yak, a lot of people were talking about [the email]… They pretty much just said don’t open it or don’t put your information in it, and if you already did, to change [your password],” Allen said.
After having discovered the nature of the email, Cofrances-Nana took her computer to the IT department on the third floor of the North Haven Campus. She said that the IT department took care of the problem within 30 minutes.
Cofrances-Nana said she is cautious when it comes to the Internet and uses various programs to protect herself on the web. However, Kelly said the user may have been tricked by the email into giving information.
“There’s a social psychology aspect to it, that they play on urgency… ‘if you don’t comply, [a] bad thing is going to happen,’” Kelly said.
When receiving official Quinnipiac emails, Kelly said to check if the email was sent from a quinnipiac.edu adress. She said official emails should also have a signature block, which includes a phone number so recipients can verify the authenticity of the message.
If a user’s account is near capacity, the official email they would receive is a message sent by the Microsoft Outlook program, which is used for Quinnipac email, that says “Please reduce your mailbox size. Delete any items you don’t need from your mailbox and empty your Deleted Items folder.”
Kelly said students shouldn’t use a password from another site for their Quinnipiac password. He also said students shouldn’t share their password with anyone—not even their parents.
“The students get a big kick out of that when their mom calls and says, ‘Hey, you told my son not to share their password with me,’ but it’s so critically important to protect [your password],” Kelly said.
Cofrances-Nana followed Kelly’s advice. She changed her password after the incident. She warned students and faculty to be careful in the world of cyberspace.
“You let your guard down one time, and crazy things happen,” Cofrances-Nana said.