In the past, a friend or trustworthy Goshen College department may have emailed you and casually asked for your GC password and username. In fact, this request was likely neither from a friend or Goshen College, but instead an attempt to steal information from you as a means to profit off of access to your contacts and personal information.
If you gave out this information, it was likely used to flood the inboxes of you and your friends with unsolicited advertising, and maybe even to install malware on your computer. Those who received your information were paid at the expense of your own privacy and security.
These illegal and deceptive requests are called “phishing,” and over the past few weeks a series of phishing attempts have caused major problems for the Goshen College community.
Michael Sherer, the internet technology service (ITS) director at Goshen College, said that phishing is far from a new phenomenon. “Over the last several years, we've been ahead of the spammers and have had policies and procedures and systems in place that limit the amount of phishing that you get,” Sherer said. When some phishing attempts did get through, ITS would then have users change their passwords on a more individual basis.
This all changed over Thanksgiving weekend when Goshen College came under a particularly nefarious phishing attempt. “The spammers used a novel technique and managed to send a message that appeared to be coming from firstname.lastname@example.org,” Sherer said. Because of the Goshen address, Sherer said a larger percentage of people fell for it.
As a consequence of this attempt, many Goshen email accounts began sending out spam, which caused many email services online to “blacklist” Goshen, so that they would no longer receive any emails from a Goshen address.
As part of the process of removing the institution from the blacklist, every member of the Goshen College community was required to change their GC password this past week. Those who did not change their password voluntarily were assigned a new password by Goshen's Internet Technology Service department.
Sherer says that ITS is hard at work to make sure “there is less contact between the bad people and the user community.” In the meantime, he says the Goshen community needs to be mindful of phishing attempts, and to not give out password information over email—regardless of who appears to be asking.
Sherer said to be mindful, but not to panic. “We're not particularly being singled out or doing a better or worse job of contending with this—it's pretty routine in higher ed, and our users are just as smart as other users.”
Still, Sherer says phishing is business, and that the GC community will need to be mindful of attacks. “Spamming people is a business—it's a sleazy bad businesss, but it is a business. There are people getting paid to get accounts, and your account is of value to a user so they can send out a lot of spam in a hurry.”