University of New Mexico students have seen a drastic increase in phishing emails since the start of the academic year, and these emails are disproportionately affecting first-generation and low-income students.
Tamara Martinez, a student success specialist at UNM’s Student Support Service office, said first-generation and low-income students view scam job offers as ways to pay for tuition or housing rent fees. As a student success specialist, Martinez creates scholarship and financial aid workshops for students most in need of them, assists with course and degree plan selections, and helps students set attainable goals for graduation.
According to Martinez, approximately half of her 160 students have received phishing emails. 15-20 have responded and five have fallen victim to the emails, which Martinez said was heartbreaking.
"I've had students lose anything from a couple hundred to a couple thousand dollars, but regardless of the amount, they can’t afford to lose any," Martinez said. "The person sending these emails is relying on the fact that these students desperately need money. This can result in them losing a thousand dollars that they were planning on using for rent."
With the advent of increasing email scams, Martinez has begun to advise her students on how to identify phishing emails. She also encourages her students to send her emails they are uncertain about so she can confirm or deny their legitimacy.
"I tell my students to look if emails are sent on behalf of someone else. Also, if they’re asking you to use an email outside of your UNM one and to provide your home address, I would be very wary," she said. "And sometimes a quick Google search can help. For example, there was an email sent out last week that spoke about a disability service center at UNM, but that office doesn’t exist."
On Jan. 28, the Dean of Students Office sent an email reminding students to exercise caution concerning their Personally Identifiable Information (PII) and containing instructions on how to safely identify phishing emails. According to the email, the frequency and efficiency of phishing emails have risen dramatically throughout the past two semesters, increasing by over 200% and successfully garnering access to students’ bursar accounts, among other PII.
The format of phishing emails varies, but it frequently poses as a job offer. More examples can be found by accessing phishbowl.unm.edu, a website approved by UNM’s Information Security and Privacy Office intended to promote public recognition of the composition of phishing emails.
UNM’s Information Security and Privacy Officer Jeff Gassaway, with input from the CIO, Deputy CIO and Information Security Operations Team Lead, provided responses to the Daily Lobo's questions regarding the frequency and severity of phishing emails.
"While there are slight differences in email formatting, phishing attackers have become highly adept at including visual images and logos that UNM students, faculty and staff are used to seeing in messages from authentic University resources," the office said. "Phishing attackers continue to use social pressure to convince targets of the urgency of responding or include compelling offers such as job postings, scholarship assistance or available grant opportunities."
Recently, phishing emails have become more sophisticated by appearing to derive from an authentic UNM email account.
"Some phishing email messages have included malicious software that attempts to install itself onto the computer. Once they have someone's NetID and password, attackers can send a more convincing email," Gassaway said.
UNM has incorporated preventative measures to mitigate the consequences of phishing emails and ultimately protect students' PII. One example is a red banner at the top of email messages (instituted Dec. 12 of last year) that are sent by parties outside of the UNM email system. UNM will also implement mandatory information security and privacy awareness training for all students and employees.
Since it is nearly impossible to completely eradicate phishing attempts, Gassaway said it is crucial for students, faculty and staff to be well-versed on how to identify these attacks and subsequently protect sensitive information.
"We want students, faculty and staff to know that any email that asks them for their username, password and/or Personally Identifiable Information including but not limited to their Social Security number, date of birth or home address is probably a phishing attempt," Gassaway said. "UNM’s data collection processes are not generally through email and include sites like unmjobs.unm.edu for job applicants and apply.unm.edu for prospective students. These and other UNM information services are secured through different layers of safeguards."
Beatrice Nisoli is a beat reporter at the Daily Lobo. She can be contacted at email@example.com or on Twitter @BeatriceNisoli