This is at least the second phishing scam this year to successfully breach the email account of a university employee.
On Oct. 17, ETSU’s Information Technology Services discovered a university employee clicked on a phishing email that gave unauthorized access to the employee’s email. Nine days later, the IT department determined another employee’s email was also breached as a result of the same phishing scam.
ETSU Chief Communications Officer Joe Smith said the university is not disclosing what department the employees worked for, but he said the scam seemed to be targeting them specifically, as the email was disguised to look like it was sent by a colleague.
“This is not something that went campuswide,” Smith said. “(The email) appeared to have come from a colleague. It wasn’t just a random thing they clicked on. They thought it was from a colleague, and it appeared to be related to their type of work.”
Once the scam was discovered, ETSU’s IT department immediately disabled access to the email account, reset the employee’s username and password and began an investigation, the Monday email stated.
While Smith acknowledged a similar incident occurred in August, which was investigated by the ETSU Board of Trustee’s Audit Committee, he said these type of phishing attacks occur “a lot.”
“We have this occurring frequently. However, nothing to the magnitude of what this one is. I can’t say it has never happened before, but definitely nothing like this,” Smith said.
University officials believe the initial breach occurred Sept. 25. Usually when a hacker gains unauthorized access to an email account, Smith said they will begin spamming all the contacts affiliated with the account, but that did not happen.
“We did not know (about the initial breach). It wasn’t until around Oct. 17 or Oct. 18 that another university employee received an email. It was a spam email. They looked at it and said, ‘This doesn’t look right.’ She made an inquiry, and it was at that point that we realized that this had occurred and someone had unauthorized access to an email account,” Smith said.
ETSU officials then spent the next weeks combing through the tens of thousands of emails contained in both hacked accounts to ensure they knew exactly who’s personal information was exposed.
While 7,700-plus people were affected, not every one of them were employees. Smith said some of the exposed information was that of former employees, dependents of employees or their beneficiaries.
As a precaution, ETSU is offering 12 months of free identity protection to all those who were affected. The university also established a website, www.etsu.edu/privacy/, and hotline, 423-439-3338, for further assistance.
On Aug. 1, the ETSU Office of Internal Audit was told the direct deposits of two employees, totaling $21,159.69, had been sent to a “fraudster’s bank account,” according to the September agenda of the Trustee’s Audit Committee.
Of the amount diverted, just $6,000 had been recovered from the bank. Based on the investigation described in agenda, the scheme started when the two employees responded to a phishing email.
The Audit Committee grades each audit based on a heat map that measures “internal control weaknesses” and “significance of issues noted.”
The direct deposit phishing scam scored a 3.5 out of 5 for significant of issues, and 4.9 out of 5 for internal control weakness. During his committee report to the full Board of Trustees on Sept. 21, Audit Committee Chairman David Golden never mentioned the direct deposit phishing scam.
“I would say that nothing was particularly noteworthy,” Golden said regarding his committee’s investigations.
Smith said this incident did not appear to be connected to the latest phishing attack.
In response to this phishing scam, the Department of Financial Services improved its internal controls over changes in an employee’s direct deposit information. Additionally, the agenda stated Information Technology Services planned to enhance their training efforts for the campus and propose the use of two-factor authentication for emails.
“We are in the process of implementing (the two-factor authentication). We hope to be done maybe by the end of the semester or by the end of the year, if not soon afterward,” Smith said.
For those who were affected, ETSU strongly recommends you:
- Request and review your credit report.
- Contact the national credit bureaus to request a fraud alert.
- Contact the national credit bureaus to request a credit or security freeze.
- Change credit and banking passwords.
- Be vigilant in monitoring credit and banking transactions.