UI to fight phishing with external tagging

External tagging is the newest way ITS ramps up security to combat phishing.


Grace Colton

The University of Iowa’s information technology services help center is seen in the old capital mall on Tuesday, January 22, 2019.

Josie Fischels, News Reporter

One wrong click on a suspicious link can mean the end of a student’s email account; now, Information Technology Services is introducing a new way for the University of Iowa to combat phishing emails.

Phishing emails are cyberattacks disguised as real and important emails sent by the university. Often using shocking or urgent messages to manipulate students into clicking on suspicious links, phishing is used to swipe usernames, passwords, credit-card information, social-security numbers, and other private data, UI media-relations Director Anne Bassett said in an email to The Daily Iowan.

ITS keeps a record of all reported types of phishing emails and posts how to identify phishing on its website. More recent examples of phishing emails include ones that have informed students they need to sign an unnamed “important document.” Others have requested students review their tax information by following a link to an unspecified location.

In early February, phishing emails informed students that someone had posted sexually explicit images of them of the UI webpage, Bassett said.

Nicole Dahya, the ITS communication manager, said the UI has seen an increase in phishing emails since classes have started again for the spring semester, but the numbers have been nothing out of the ordinary compared with other years.

“The start of the new semester and the associated return of people to campus often results in more phishing attempts,” Dahya said. “Scammers are drawn to large populations such as ours.”

RELATED: Cybersecurity in the time of phishing 

To combat the scams, ITS enabled the use of external email tags on March 5. UIHC has used the method to identify phishing emails for nearly two years.

According to the ITS website, most phishing scams begin with messages from an external email system. As part of the UI’s attempts to reduce these scams, external email messages will now receive an “[external]” tag in the message subject.

“Many safe and legitimate email messages come from external email systems,” Bassett said. “The [external] tag does not mean the message is a scam, but it does provide additional information about the message source.”

She said a message tagged as such means that recipients should take caution. A message without this tag does not mean it is safe.

“The external tag is a reminder to stay vigilant when handling emails from external sources,” she said.

Falling for a phishing scam can compromise a person’s entire email account. UI freshman Maddy Finn said her username and password needed to be completely reset through ITS after she clicked on a link in a phishing email that told her the email account she was using was about to expire.

“I’ve luckily learned the difference of right and wrong, but when I clicked on the [link], I got all this spam,” Finn said. “Within two minutes I got like 600 emails.”

ITS urges all faculty, staff, and students to be vigilant when handling phishing scams and never to respond to phishing emails if they are received, Dahya said. ITS appreciates having recipients report phishing emails so they can be blocked to protect others on campus from the attack, she said.

“If an email feels like phishing, it probably is,” Dahya said. “The best course of action is to trust your instincts and delete it.”