Phishing emails lure DePaul community into false opportunities

A phishing email sent to emails about a possible employment option.

Maddy Maes

A phishing email sent to emails about a possible employment option.

When junior Joanna Flores received several emails about employment opportunities at DePaul last year, she responded and gave the supposed “employers” her information, including her name, phone number and address.

She later found out that this email was a job scam, and an act of “phishing” for personal information by impersonating a reputable source: DePaul.

“Honestly, it felt like a large disappointment when I found out about it being a scam because I started getting them when I was unemployed and really needed a job to pay tuition,” Flores said. “So me looking for a job and needing one really changed how I saw the emails, almost as a ‘thank god they are hiring’, only to find out it’s a scam and it could have ended badly.”

Flores is not alone. The Internet Crime Complaint Center received 241,342 phishing complaints in 2020, resulting in losses of over $54 million. Since the start of the pandemic, scammers have also shifted to using fake job scams to steal people’s personal information.

From fake job offers to warnings urging students to update their information in a database, scams and phishing attempts take a wide range of appearances. DePaul’s Information Security team monitors and responds to issues like malicious phishing attempts and job scams, while managing infrastructure like firewalls and antivirus.

“[Phishing is] what I think really presents the biggest risk to students, staff and faculty,” E.J Gamarro, a senior member of the Information Security team at DePaul, said. “Phishing are messages that actually have some claws to them. Phishing-type messages are the ones that are trying to trick users into taking some action, or making them believe something that really isn’t true.”

One clear sign of phishing are messages with a sense of urgency.

“They try to give the user the sense of impending doom, if they don’t do something,” Gamarro said. “Another attribute that is usually obvious is that they need that person to take very specific actions right away. Those are attributes to every phishing message that students should definitely be concerned about.”

Since responding to a suspicious email last year, Flores still receives messages about other fake job offers. She now knows not to respond and moves the suspicious emails to her spam folder, but does not know what other information the scammers may have taken.

“I just want to know how DePaul can ensure that they don’t send out emails again, especially to those who really need a job,” she said.

For students like freshman Matthew Clifford, receiving suspicious emails also raises concerns about DePaul’s security.

“My main concern with all of these emails is how exactly are people getting my email address?” Clifford said. “I know we all have the same address at the end, but that doesn’t explain how they got mine specifically.”

While staff and faculty emails are available on DePaul websites and directories, student emails are not exposed by default.

“To be honest with you, the only way to really find out exactly is to actually ask one of these scammers,” Gamarro said. “I couldn’t give you an answer that is one hundred percent accurate, that’s what I’m trying to get to, I can only guess and speculate.”

 “But you can compare this to the way other businesses that are legitimate actually get other email addresses,” he continued. He compared it to legitimate businesses collaborating and sharing contact lists. “I can only imagine or guess that the bad guys collaborate in this sort of way as well, in that they build their own database of potential email addresses that they may try to phish.”

Compromised DePaul email accounts can be used to target the community, according to announcements by the Security Team.

“Any phishing email that you suspect is malicious, please, we encourage the community to send it to [email protected],” Gamarro said. “I can’t guarantee that without conducting a full investigation, it’s hard to determine right away whether it is in fact a compromised ID or if it’s something that has just been spoofed to look like it’s really from somebody else.”

According to Gamarro, the Security Team takes a “multi-layered approach to enhancing email security” by focusing on improving both technical controls and security awareness.

We are blocking a great deal of malicious emails at the gateway today, and we are currently testing other controls that we plan to add soon. However, we have other layers of protection to help us throttle and adjust anything that might sneak through, such as the use of SafeLinks policy that we use today to redirect malicious websites to a warning page,” he wrote in a follow-up email.

 “The security controls we are implementing today have taken a few months of testing, mainly because we want to introduce a finely tuned security control and not just another problem that obstructs students,” he continued. “We have more protections on the way, so we appreciate the patience while we get these controls ready for production.”

DePaul’s Security Team works alongside other teams to keep the community safe, including the development team, the networks team, email administrators and other members of the infrastructure team. The university also works with other organizations to identify and stop phishing emails at the source.

“We are actively collaborating with security organizations to identify phishing sources and infrastructure,” Gamarro added. “This helps the larger security community tackle the root of the problem by taking away resources used by the bad actors and disrupt their operations.”

The Security Team also offers resources to keep members of the DePaul community informed. Cyber security training is available for faculty, students and staff, as well as examples of past phishing campaigns, to help the DePaul community identify phishing emails.