Cybercriminals are continuing to target higher ed, and they’re hitting us hard. Consider Rockhurst University in Kansas City, where a phishing scam resulted in the theft of W-2 information from nearly 1,200 university employees.
Ohio State was targeted by a similar scheme, but the administrator involved recognized that the email was a phishing message and promptly reported it to email@example.com. Enterprise Security is thrilled that this story has such a happy ending, but we remain cautious because these phishing attempts show up in email inboxes every day.
“You are our first line of defense,” says Chief Information Security Officer Helen Patton. “We are continually adding new lines of defense to our arsenal to block cybercriminals, and will continue fighting to outpace them. However, the nature of technology means that every employee who has access to information has a responsibility to keep our data safe. In short, be smart and follow the best practices we’ve listed on our website.”
The incident at Rockhurst asked users to click on a link leading to a website that looked like an official Rockhurst login page, and directed them to enter their user name and password. Of course, the site was phony and allowed cybercriminals to capture user names and passwords of anyone who was fooled by it. Cybercriminals only had to dupe one employee, and they had access to the personal information of more than a thousand employees.
Crimes have also included phishing schemes that compromise an employee’s password, allowing the employee’s direct deposit payroll to be diverted to the cybercriminal’s account. This specific threat is one of the reasons we chose Human Resources’ Employee Self Service (ESS) system as the first university-wide service to receive multifactor protection. BuckeyePass is our new multi-factor authentication service that provides a second layer of protection for university accounts.
Beginning September 12, all university employees will be required to use BuckeyePass along with their Ohio State username and password to access Human Resources’ Employee Self Service (ESS) system.
It’s another line of defense, because we have to stay ahead of cyber criminals and we’ll never stop working to protect our information.