Flood of fraudulent emails prompts security concerns, new protections – The Huntington News | Team Cansler

Northeast students are seeing an increase in scam emails appearing in their school emails, which some say are harder to spot due to similarities to legitimate college emails. After the scams, all Northeastern emails will be upgraded to keep Northeastern accounts more secure.

When Luiza Loyo, a fourth-year journalism major, received an email offering a position with a doctor named Ben Simon, Loyo assumed he was connected to the university. The email said the position would pay $500 a week for an assistant to do some shopping for Simon and make some philanthropic donations, which he couldn’t afford due to his heavy workload.

The email was well written, and since Loyo got it from her Northeast email, it assumed it was from a university project. As an international student, Loyo said she was used to finding work through university.

“Many international students seek jobs on campus because they can’t work elsewhere,” Loyo said. “So it’s a very logical assumption that those emails are going into your Northeastern account because people are looking for Northeastern students.”

Loyo replied to the email asking about hiring and received a response that contained strange grammar and wording and asked for personal information, after which Loyo was immediately hired. It also stated that Loyo would be paid through an unnamed outside group. Loyo stopped responding due to the suspicious nature of the response, but only fully realized it was a scam when friends later discussed the fraudulent emails the students had received.

“After talking to my friends that day, where they also said they receive a lot of scam emails, it all made sense,” Loyo said. “I started going through my inbox and all of a sudden I’m actually getting a lot of weird job offers that I first thought were a Northeast Employment Service service.”

Eric Nichols, a fifth-year computer science student, said he decided to investigate the scam emails after hearing about them for the first time. Nichols said he looked at the fraudulent emails other students had received and found that the email addresses used — all from the Northeast — were from graduate students and professors only. He also found that he and other students received identical offers, but the sender was different.

Nichols said he was wondering if someone could log into the Northeastern accounts with the user’s credentials, or if they had been hacked. If they were hacked, Nichols said he had concerns about what else the accounts could be used for.

“Is it that their account was compromised or was someone able to impersonate these people without logging in?” Nichols said. “And if all those accounts got compromised, are they just sending out spam emails or is there other stuff related to that?”

Nichols also said that the emails weren’t immediately identifiable as scams because of their content and structure, so Northeastern’s tips for detecting scams might not be very helpful.

“So when they give tips on how to spot a fake, I think there’s a possible aspect that the school makes it harder to tell them apart because they often engage in the same behavior when they email us .” he said.

Following a Microsoft technology upgrade released on October 1, Northeastern will integrate new layers of protection for university email. Scott Olson, manager of student staff, services, human resources and training, said the new security will be called Modern authentication. The program, which first rolled out in the Northeast on November 8, adds an extra layer of protection when students log into their Northeast accounts.

According to the Office of Information Security (OIS) Modern Authentication website, many Northeast students have already been using devices fortified with the updated software, which includes two-factor authentication via Duo. This subscription system gives Northeastern email users temporary access to the service they were subscribed to, which will eventually expire. According to the site, Duo authentication will also become more common after the move to modern authentication.

The original login system, known as “legacy authentication,” would allow people with Northeastern email addresses to log in with just a username and password, which were then stored by the application they logged into would. This leaves those using this login system vulnerable to security risks, according to the OIS website.

“The transition to modern authentication will improve account security and reduce the number of compromised accounts and phishing emails across Northeastern’s network,” according to the Office of Information Security website.

After the upgrade, students using legacy sign-in methods had to move to the latest update of Microsoft 365 and ensure their email client supports modern authentication by October 31, or they could lose access to their Northeastern email lost mail.

Information Technology Services sent an email on November 9 announcing the change. The announcement referred to modern authentication as Duo Two-Factor Authentication, or Duo 2FA. It was also announced that students will need to log in to their Northeastern accounts through Active Directory when logging in, as students may be locked out of their accounts if they use the myNortheastern login method.

“Duo 2FA is already required to access the university’s virtual private network and other commonly used online services and systems. This update doesn’t change the way you sign in and verify with Duo, but expands it to protect additional services,” the email reads.

In the run-up to the switch, Northeastern also sent out several emails warning of the rise in spam emails and providing tips on spotting scam offers. According to the emails from Cassandra LeBrun, Associate Director of Talent Engagement, students are always asked to register with NUworks if the job opening is a real Northeastern-related job. LeBrun also wrote that students should ask a career counselor at Employer Engagement and Career Design to verify that the offer is not fraudulent and forward any dubious materials to her.

The emails gave general advice not to provide important personal information like bank account information and social security numbers, warned that if the position seems too good, it probably is, and that all international students must be authorized before accepting employment.

Darin Zullo, a first-year journalism major who had not yet been briefed on the modern authentication system when speaking to The News, stressed the importance of including a program that could filter out fraud. Without the inclusion of such technology, Zullo said he believes the university would not adequately address the situation.

“If people get hacked because of these phishing emails, the school could do more to respond to the situation,” Zullo said. “It’s a pretty common problem and we’re all aware of it because we all check our email. I just have the feeling that not enough is really being done.”

Leave a Comment