“Dear user, update your account” is a phrase that is being seen by UI students more often than it should. The phrase is the introduction to a spam email that is that being sent out to uiowa.edu addresses — the messages hack student accounts and proceed to send out more emails.
UI sophomore Madhuri Belkale said she received nearly 200 emails last week saying a message she tried to send could not be delivered.
When she tried to look in her sent inbox, it said her “password had been changed and [she] had to use the two-step verification process to reset [her] password and get back into [her] account.”
When Belkale finally got into her sent inbox, she didn’t notice any emails out of the ordinary. However, the next day she received an email that said “Really? Who’s your supervisor and what department are you claiming to be from at the university?”
This proved to her that emails had been sent from her account.
Later that day, ITS called and told Belkale her email account had been compromised and helped her go through settings to make sure nothing else was affected.
However, when asked about the source of the hack, “they did not have any information for [her].”
Ryan Lenger, Information Technology Services manager of communication & collaboration team, reported that this problem should not occur because of the high security protection service the UI uses.
“The University of Iowa currently uses a cloud-based Microsoft spam protective service,” Lenger said.
With this service, there are numerous layers of defense in place for email services. All messages go through a system that filters them and scans for content, malware, and specific terminology.
Lenger also said that “email messages are also reviewed for reputation, which is based on varying factors like the domain name (gmail.com), the specific email address ([email protected]), server address, email volume, and historical trends of those variables.”
There are spammers that do make it past email security. Most are not savvy enough to be successful, but it is possible and it does happen, Lenger said.
Lenger reassures students by saying “University of Iowa staff are able to create custom rules targeting those undesirable messages.”
Another plan of action will take place in October, which is National Cyber Security Awareness Month.
Jane Drews, the UI chief information security officer, says the UI is “planning to provide weekly awareness communications using different methods.”
Students can also find phishing-awareness resources by going to http://learnabutsecurity.uiowa.edu.
Drews said last month ITS became aware of “work-at-home” scams that students were receiving. On its website, ITS said, “IT Security Office warns of work-from-home schemes” and to “avoid any offer that requires an up-front personal investment.”
ITS staff members acknowledge that the scams targeting college students are a serious problem. They also see a large problem with phishing scams targeting health-care organizations.