The past year has seen a rise in Central Oregon Community College students and staff receiving emails that attempt to phish a user’s data, largely by the promise of well-paying jobs. Approximately 20 of these phishing emails have gotten through various digital security filters and some were sent from the hacked emails of COCC students and staff.
These scam emails offered jobs as a dog-walker, personal assistant and representative of the world health organization. Students were promised up to $750 a week, flexible schedules and thousands of dollars in financial aid. Others attempted to have users click a link by pretending to be a voicemail or a secure message, or would include html files that, if run, would likely scrape one’s data directly from their browser.
To ensure digital security, Darren McCrea, information officer in COCC’s IT department, said the college utilizes a practice called “defense in depth.” McCrea said the college uses “multiple email, what they call, washes. So, it goes through multiple email gateways to check for things like harmful attachments, harmful links,” in addition to other safety measures. “On average,” Mcrea said, “we block more than 25% of the e-mail sent to our staff and students, having identified it as malicious in some respect.” Meaning, out of the 8 million emails sent to COCC accounts in 2022, about 2 million were these, likely automated, scam emails that are filtered out by security. Despite all this, McCrea said, “your biggest [security] weakness is going to be employees … and students. So that’s our first thing, is to try and train and make students and staff aware of the risks.”
These scam emails will often ask the recipients to reply using a personal email address or phone, as opposed to their COCC email. By taking the conversation outside of COCC’s digital security measures, the scammers could send all sorts of harmful links and files that would otherwise be filtered out by the security system.
“What’s gotten past recently, in the last year or so,” McCrea said, “there’s what they call ‘business email compromise ….’ These emails just say ‘I have a job, I work from home, Send me your email address,’ and all of our security systems are like ‘there’s nothing wrong with that, …’ there’s no bad attachment. There is no link out to a website that we know is bad …. So, then we have to rely on our staff and our students to be aware enough ….” The best thing to do if you suspect a scam email is to contact the IT department directly, or forward it to [email protected].
To bolster digital security the IT department works with various agencies such as the Cybersecurity & Infrastructure Security Agency, the Multi-State Information Sharing and Analysis Center, the Cybersecurity & Infrastructure Security Agency, the Open Web Application Security Project, local law enforcement, and the local branch of the FBI. McCrea said that many organizations such as these have “been putting out advisories since the pandemic.” When asked why he thinks these phishing attempts have increased recently, McCrea said, “we moved to remote work and remote education … If I got an email and it said, ‘hey, can you click this link and X, Y or Z? I can’t just walk down the hallway and ask the person who sent it, so you just trust it …. They also don’t have this security infrastructure around them to protect them. They’re on their own computer.”
However, these scammers are not the only people attempting to capitalize on COCC students’ need for flexible, well-paying jobs. Check The Broadside in the following weeks for a list of ways to help spot these scam emails and learn about a business’s attempt to recruit students for multi-level-marketing.