Over 280 North Dakota State email accounts had been compromised by phishing attackers since Tuesday.

Phishing is the act of luring unsuspecting Internet users to click on a link or input information into a website.

Students, staff and faculty are mainly being targeted through malicious phishing emails through their NDSU accounts. Examples include false emails saying users may upgrade their email storage space through Help Desk, someone’s cousin needs money or individuals in Africa need money.

Marc Wallman, vice president for information technology, said that if information cannot be found elsewhere through without clicking a link, it is best to avoid clicking that link. He added that NDSU, along with most legitimate corporations, will not ask users for their username and password without being on their legitimate log in site.

Theresa Semmens, chief information security officer, said phishers use the information gained from phishing to either use for personal malpractices or to sell information on the black market for a profit.

He said that phishing attacks are “indiscriminate, they’re opportunistic,” and once an account is compromised, every email within that account’s address book will also be targeted.

Wallman said that concerns are drawn because locked accounts prevent students from emailing files to colleagues and professors.

If hooked

If students are hooked by a phish, Semmens recommends to change the account password immediately, as well as change any account passwords that the email may be linked to and any accounts one may control with the same password.

She said that accounts should also be monitored for any adverse activity, such as money going missing from financial accounts or incorrect charges to an account.

Institutions users are involved with, such as their bank, should be notified in the event of a phishing attack, Semmens said.

Semmens said that if individuals are scammed, they should file a police report.

Discovering phish

“If it looks suspicious, don’t click on it,” Wallman said.

Semmens added that Help Desk will not ask NDSU community members to upgrade their accounts individually, rather it would send out a news release to all involved notifying them of an increased space in their emails.

Those who discover what they believe to be a phishing email can report it to NDSU’s report-a-phish account by forwarding the suspected email to ndsu.reportafish@ndsu.edu. From there, the IT department will attempt to identify the source of the phishing and block it from use.

Microsoft Office 365, which NDSU uses to power its email system, will identify if there is an abnormally large amount of emails being sent outside of the NDSU database and Microsoft will block that email from sending out emails.

Prevention tactics

The IT department will be beginning a phishing simulation, whereupon it will target groups of staff, faculty and students by college or department with false phishing emails. Then, when individuals interact with the false phishing emails, they will be redirected to another website whereupon they would be prompted with information regarding phishing and its risks.

Semmens said the simulation is designed as an anonymous educational tool for the NDSU community and is not designed as a way to identify individuals who may be targeted by phishing.

The department is also working with Qualtrics to create an educational exam for individuals to test their ability identifying phishing emails.

The information technology department began its campaign against phishing last spring.

The problem of phishing has been ongoing, though instances involving NDSU have surged within the last year, Semmens said.