Brandon Alter was just trying to get ready for his first year of college.
So when an email, signed "University of South Carolina Information Technology," told him he needed to back up his email to prevent it from being "closed down," he followed the link and entered his information.
He thought everything was fine until he was eating lunch with his grandparents one last time before leaving for school in the summer of 2017 and his phone began vibrating nonstop with notifications. Alter's USC email inbox was flooded with "hundreds" of emails saying "this message could not be sent."
Alter unwittingly had become the victim of a phishing scam, when attackers impersonate an IT department, friend of the recipient, co-worker or a trusted company to obtain personal information or login credentials. In a given year, USC is bombarded with roughly 100 million emails — most of which are blocked before reaching a spam folder — seeking to trick recipients into giving away personal information, spokesman Jeff Stensland said.
Digital Access for only $0.99
For the most comprehensive local coverage, subscribe today.
When Alter entered his information into the link, hackers likely took control of his email and blasted out messages to all his contacts, James Perry, USC's chief information security officer, said in an email.
"Phishing is all about identity deception," said Patrick Peterson, co-founder of cybersecurity firm Agari. "Anybody on the planet can send an email to you and pretend to be anybody."
Cybersecurity experts say every industry is a target for phishing, but universities are particularly ripe targets because they house student financial information and academic research, and they are more open than other industries such as financial services and manufacturing.
The university's filter plucked out the lion's share of phishing emails, letting through only 5,500 in 2017, Perry said. Despite the university's 99.99 percent success rate, hackers still were able to compromise 1,000 USC email accounts last year, most often through phishing, Perry said.
That's because hackers are rarely caught, and it takes very few resources to send more emails once the scam has begun, said Delano Collins, chief information officer at EDTS, a cybersecurity firm.
Collins, who said the number of phishing attempts didn't surprise him, called phishing a "low-risk crime with a high payoff."
Sometimes, hackers specifically target a person, research him or her online and tailor the scam to that person. That variation of the tactic is dubbed "spearphishing," and it's how Russian hackers broke into the Gmail account of John Podesta, Hillary Clinton's 2016 presidential campaign manager. Other times, phishing emails offer generalized promises, such as a recent scam targeting university students that offered bogus job opportunities.
"Everyone should assume they're a target," Collins said.
Espionage on the rise
Universities are increasingly being targeted by spies, with phishing as their weapon of choice, according to Verizon's 2017 Data Breach Investigations Report.
Last week, the Department of Justice indicted nine Iranians for allegedly conducting a worldwide phishing conspiracy, with the sponsorship of the Iranian government, to target 100,000 professors from throughout the world and steal 31 terabytes of data.
Both Clemson and USC said they were unaffected, but Clemson said it was targeted.
Targeting of universities by foreign spies has skyrocketed in recent years. In 2012, less than 5 percent of all successful university breaches were caused by cyber espionage, but by 2016, that number jumped to 26 percent, surpassing all other causes, according to the Verizon study.
While universities are less likely to fall prey to phishing scams than other industries such as financial services and manufacturing, the education profession was slower to fix breaches, the study said.
Here is some advice from cybersecurity experts on how to spot red flags.
- An incorrect email address
- Unexpected emails, even from a supposedly trusted source
- Emails that urgently ask you to click on something or scare you into clicking
- Time of day/week. Phishing emails are more likely to go out Monday mornings and Friday afternoons when people are groggy or rushing to or from work.
Experts stressed there is no catch-all rule for identifying a phishing email. So if you're unsure, Collins says to call the sender of the email to confirm they meant to send it.
"Like Ben Franklin said: 'An ounce of prevention is worth a pound of cure,' " Collins said.