Pictured Above: A screenshot of the most recent scam email, inviting students to login to MyUSF through an embedded link.
Catherine Hicks | The Crow’s Nest
By Catherine Hicks
Despite USF migrating its internet platform from Gmail to Microsoft Office 365 in March for consolidation, phishing emails continue to fill student inboxes.
“Phishing is a type of cybercrime in which individuals send fraudulent messages to individuals in the hope of tricking them out of personal information such as passwords, credit card numbers and Social Security numbers,” according to the Information Technology website.
Phishers impersonate employers, financial aid officials, professors or faculty members. In the emails, a prospective employer offers an employment or internship opportunity that seems too good to be true, or a financial aid official claims a grant is available to the student or that a financial agreement needs to be updated.
They are creative and will go to great lengths to make emails appear legitimate.
“My email address has been manipulated to try to scam faculty into purchasing gift cards,” said Magali Michael, Campus Dean of the College of Arts and Sciences. “Someone took my email address and added a gmail extension… so it looked like I was sending the email. It went out to the whole College of Arts & Sciences faculty and staff, (which) happened at least twice.
“A few people immediately inquired to see if this was really from me and so I then sent out an email to all faculty/staff to disregard the spam email. This happened both before and after the change in email addresses in March.”
On August 17, USF sent out an email to faculty and staff informing them that they would be migrated to a new security and anti-spam platform called Exchange Online Protection (EOP).
“We will retire the currently used Barracuda Email Security program,” the email said. “EOP is Microsoft’s integrated solution which will allow for better security, end user functionality and a more integrated, seamless experience.”
These security platforms are designed for “email filtering – protecting USF from spam, phishing and other malicious emails,” according to the EOP announcement. Spam or phishing emails are held in a quarantine box and the receiver is notified that they have emails in their ‘prison’ to review for release.
“The ones where emails get hacked are harder,” said Mary Nickens, Executive Assistant to the Dean of the College of Arts & Sciences. “I got one from the Dean of the College of Arts & Sciences in Tampa a few weeks ago, asking me to do something… It took me a few readings and back and forth with the ‘hacker’ to realize it was a hoax.”
The most recent phishing email, with a subject line that read “Financial Responsibility Agreement,” was sent on Aug. 29, inviting students to log in to MyUSF, with an embed link that led to a false MyUSF login page.
“According to our records, you or a USF administrator on your behalf processed at least one registration translation within the last week,” the email said. “As a result of this transaction you are receiving an email reminder of the terms and conditions of The University of South Florida Financial Responsibility Agreement.
“You can reconfirm if you have any questions about this. To do so, kindly log on MyUSF.”
Students who logged in through the embedded link gave the phisher access to their OASIS account, which includes bank account numbers, home address, phone numbers and other personal information.
In USF communities on Reddit and Facebook, students shared experiences with scam or phishing emails.
“I just want to share a warning to everyone, I got a weird email today about my tuition and it looked like it was from the financial aid office but it was a scam and my email got disabled,” wrote Isabella Straub on Feb. 29, in the USF St. Petersburg Facebook group.
Information Technology recommends students or faculty that receive a phishing scam not open any links or attachments and forward it to spam@usf.edu for investigation.