April 22, 2010

Phishing for information on campuses

In late March, thieves broke into the headquarters of the Minnesota-based company Educational Credit Management Corp. (ECMC) and made off with discs full of student data.

ECMC is a company that processes loans granted to students by the federal government. An estimated 3.3 million students had their information compromised as a result of the theft, a number that represents five percent of students nationwide with federal loans.

While incidents on the scale of the ECMC break-in are rare, cases of identity theft are commonplace, especially among college students and come in a variety of forms.

Phishing, or e-mail scams designed to acquire information such as passwords, credit card details and bank account numbers are particularly concerning to college students, who often utilize online banking while away at school.

“I think pretty much everyone has seen the, ‘I’ve got a large sum of money I need to transfer into the United States … I will pay you x% of the amount if you will allow me to transfer money into your account,’” said Steve Hall, Associate Director of Knox’s Computer Center. “The information they collect is used to make withdraw[als] instead of deposits.”

Other phishing scams are designed to obtain e-mail usernames and passwords.

“If you respond to the message [and give] out your account credentials, your account is then used by ‘spam gangs’ to send out thousands of illicit e-mail messages,” he said. “If more than a couple hundred of these messages are sent, the knox.edu domain ends up on a blacklist.”

It usually takes two to three days to remove knox.edu from the blacklist. Until the issue is resolved, Knox students are unable to send e-mails to their families and other non-Knox entities using their Knox e-mail accounts.

Fortunately, Knox’s Barracuda Spam and Virus Firewall blocks most phishing attacks. Hall estimates that only about 20-30 get through every year and of those, only 10 end up being distributed widely around campus. These low yields, however, do not deter phishers; they simply send out more messages.

“A yield rate of 1.5 percent on half a million messages yields 7,500 accounts, and if they are able to extract just $1,000 from 10 percent of these accounts, [that] means a net [profit] of about $750,000,” Hall said. “Not a bad take for what generally amounts to about one week of effort.”

Because the profits can be so high, phishing now has the sponsorship of organized crime. Most of the scams Hall has been able to track originated from various organized crime outfits in Eastern Europe.

Phishing is not the only way for others to obtain personal information. Senior Sara Belger never gave out her credit card information over e-mail, but she found out during winter term that someone in Venezuela had been using her information to make purchases.

“My initial reaction was…‘Hmm…I don’t recall being in Venezuela,’” she said. “That quickly turned to anger as I saw the amounts they had charged.”

Belger was able to call her credit card company and resolve the issue. Still, it was a few weeks before she could use her card again.

“I’m not entirely certain how they got my number, though I suspect it has something to do with the Internet since that is the only place I use that card,” she said.

While the process of stealing someone’s identity is not always obvious, as in Belger’s case, the incident at ECMC has made clear the need to increase safeguards against identity theft.

“Protecting student privacy is a top priority,” U.S. Department of Education spokesman Justin Hamilton told the Minneapolis Star-Tribune.

Anna Meier

Bookmark and Share

Previous Post
Golfing days of yore
Next Post
Campus Safety Log: April 13-19


Leave a Reply

Your email address will not be published. Required fields are marked *