Universities are frequent cybersecurity targets — here's how you can prevent a breach
Experts say one way to help prevent a cyberattack is to always be suspicious if you’re asked for your password or two-factor authentication code. See below for more tips. (Photo: Createase/Unsplash)
They know what you want to hear and have a knack for making you feel like you’re on the verge of getting something you need.
Hackers and cyber threat groups have always set their sights on universities, and the psychological cunning behind recent attempts at Toronto Metropolitan University (TMU) are being highlighted by Wura Bamgbose, TMU’s chief information security officer.
“There’s a common thread to reported incidents where threat actors are engaging in longer, conversational interactions that gain trust from their targets,” she said. “Hackers will try to access TMU networks through every possible gateway and we know of attempts spanning our student, faculty, staff and retiree communities.”
In many cases of incidents intercepted by TMU, attacks began with an unsolicited email with:
- Prospects of job offers and salary increases
- Impersonations of IT support staff notifying you that your account or WiFi network was compromised, with offers to help secure it
- Revelations of funds being transferred out of your account and pledges to help recover the money
In 100 per cent of these cases, the email contained a suspicious link or phone number that put the TMU affiliate in direct contact with hackers.
Phishing remains the easiest path to your accounts
A recent incident involving a TMU student illustrates how attackers bypassed TMU’s two-factor authentication, which helps prevent attacks even when someone gets ahold of a password.
The incident began with a phishing email in which attackers used a purported job offer to request and receive personal information from a student.
Afterwards, the student was asked to verify their affiliation with the university by logging in to their TMU account. The student then entered their TMU login credentials on what turned out to be a fake TMU page, which provided their credentials to the hackers.
From there, after being asked for their phone number, a text to the student’s cell phone requested their two-factor authentication code, which the student provided. Doing so allowed attackers to gain entry to the student’s account beyond TMU’s two-factor system.
When the attacker’s activities tripped both Google and TMU’s spam surveillance alerts, TMU’s IT security team locked down the account, making it impossible for the attack to gain further ground.
“The scenario shows that even when we put strong security measures in place, nothing is perfect and attackers will find ways to try and bypass our systems,” said Bamgbose. “Our individual vigilance needs to be in place to stop an attack from progressing.”
Top three ways to thwart hackers
Where systems and protocols may temporarily fail, one of the best ways to protect yourself is to adopt a healthy skepticism. As a baseline:
- Pay attention to requests and verify where they’re coming from any time you’re asked to recite or type in personal information—that includes username and password combinations, phone numbers and bank account numbers.
- Know that IT support staff do not need your password or two-factor authentication code to assist you, and would never ask you to share such details. If you’re asked to share them, be alert as you may be amidst an attempted attack.
- Diversify your passwords by creating longer phrases with a variety of letters, numbers and symbols. It’s also wise to use different passwords for different sites and consider using a password manager to keep track of them.
And when it comes to a more surprising takeaway from recent TMU attack attempts, Bamgbose points back to the psychological factor that is unmistakable.
“It is no longer always the case that threat actors approach you with an air of threatening behaviour. Oftentimes our community reports that attackers came off as friendly, helpful and unhurried. By the time they were asked to perform tasks like logging in to a website shared by the hacker or giving out personal details, it didn't feel out of place or suspicious since they thought they were with a safe support person.”
Related:
- Tighten up your account security with tips on creating complex passwords
- Learn the common characteristics of a phishing email and how to catch a phish
- Find out how to reveal a true link to determine if someone is hiding behind a fake link that could steal your information
