Phishing attack could have been worse

Of 2,700 malicious emails, only 18 successful in diverting pay

Phishing attack could have been worse

A series of phishing schemes In November and December of 2013 targeted the University of Colorado Denver campus’ direct deposit function, resulting in some employee pay fraudulently being redirected to other accounts.

Brad Judy, director of University Information Systems (UIS) security, told members of the University of Colorado Staff Council at their meeting at the CU Denver Business School on Feb. 13 that about 2,700 emails were sent to campus addresses in an effort to obtain user name and password information.

“Out of those emails, only 18 employees had their direct deposit accounts changed fraudulently, and not all of those changes resulted in loss of pay,” Judy said. In an effort to combat future criminal actions, the university is looking at ways to add another layer of security to self-service and direct deposit functions.

Judy said he doesn’t know why criminals only targeted the Denver campus but said that other institutions of higher education across the country also have been affected. Campus police and the FBI are involved in the investigation of the event, but Judy says because the case is international and complex, it is unlikely that charges will be filed against the perpetrators.

The process of the crime is fairly straightforward, Judy said. An employee receives an email that takes him or her to a website that looks similar to a Denver campus login site. Once the user name and password are entered, the criminal uses the information to log into the CU Portal and change the direct deposit information. Criminals alter the information shortly before a pay cycle, leaving an employee and the university little time to catch the problem before a payment is redirected.

Judy said the university emails employees who change direct deposit information, but unfortunately, some of the affected people did not realize that something in their account was amiss. “We didn’t hear about this when it happened,” Judy said. “We heard about it when pay didn’t land in their bank accounts.”

By that time, the money already had been redirected into yet another account. Judy said the money often goes to a bank account held by an unknowing accomplice or another victim in a scheme that is called “money muling.” The criminals lead unsuspecting people into laundering money for them. Those people likely were tricked into believing they had a work-from-home job or were involved in a romance crime, where victims are led to believe that an online love interest is in need of money.

Because only 18 out of 2,700 people were affected, Judy said, “This is a story of imperfect success, which is the general story of information security to a certain degree. This is a low response rate for employees, and that shows us that we have good awareness or maybe people are just ignoring their emails.”

Judy said the university has efforts in place to combat security crimes. “We block about 78 percent of all inbound emails at the University of Colorado, so bad emails never get to your inboxes. Most of the stuff that does get through is legitimate, so in effect, we’re blocking about 97 percent of the bad stuff. And that’s the imperfect success.”

When UIS learned of the breach, it blocked access to websites, deleted copies of the phishing email and sent follow-up communications to employees who had received the email, telling them not to act on the fake request for information. While all of this helped, Judy said, UIS cannot block all access, especially to employees’ home or mobile accounts. “We can narrow down when the crime will occur but we can’t get to zero.”

The problem is compounded because many staff and students regularly travel or bank overseas. “We have people in other countries all of the time so that type of traffic from all over the world isn’t unusual,” he said. He added that the university gets about 1,000 true requests to change bank accounts every month. He said about 700 banks are represented in the university direct deposit process.

The university is discussing ways to add even more layers of authentication for employees who seek account changes, including adding an extra validation step.

Staff Council members also heard from several other guests:

  • Tony DeCrosta, associate vice president and chief plan administrator for the University of Colorado Health and Welfare Trust, said the trust is in the process of setting rates for the upcoming year for health benefit plans. He said the national trend is a 10 percent increase, but he believes trust plan participants will see a lower rate change.
  • Board of Regents Chair Michael Carrigan reiterated the need for better communication concerning board decisions. He also said that the program prioritization process currently in progress on all campuses will help the individual campuses, the university and the regents understand how finances are used and help identify which programs may or may not be vital to university goals. He said the process will help enable the institution to continue to provide a quality education to its students. See story here:
  • Dan Montez, director of the Office of Policy and Efficiency (OPE) and Leonard Dinegar, senior vice president and chief of staff, gave a progress report on the efforts to pare down and clarify system policies and improve system administration efficiency. See story here: