Geoff Cooper/Chinook
Kent Brooks, director of the CC IT department is pictured here at his desk. Brooks spoke to the Chinook about a phishing attack at the college.
By Geoff Cooper
Casper College suffered a multi-wCasper College suffered a multi-wave phishing attack in the middle of last month. Phishing, according to IBM, involves digital or voice messages that try to manipulate recipients into sharing sensitive information, downloading malicious software, transferring money or assets to the wrong people, or taking some other damaging action.
According to CC’s IT director, Kent Brooks, “The first wave was over 2,000 emails, and of that, two hundred were opened.”
Brooks and several IT staff spent the weekend of Sep. 15 dealing with the attack, and he said he personally clocked thirty-two hours at the office during the ordeal. Most of the work involved notifying students, faculty, and even other institutions that may have been affected. In addition, Brooks said he and his team manually went in and pulled the emails from the receivers’ inboxes.
Brooks said that the ratio between students and faculty who engaged with or became compromised by the phishing emails was close to evenly split. This particular attack aimed to obtain personal information that circumvents the multi-factor authentication in place for CC logins, and it worked in at least one instance. The victim’s account was taken over.
“It was totally social engineering,” said Brooks. “There’s no technical thing that would have stopped it.”
Social engineering, in this context, is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes, according to Oxford Languages. It is also known to organizations, like IBM, as “human hacking.” With the advent of things like multi-factor authentication, the only variable left to exploit is the user.
“It is way more challenging for me to hack your password than it is for me to ask you politely,” said Brian Clark, the IT network coordinator for CC.
Despite the recent phishing attack, campus functions remain undamaged. As for the individuals affected, both Clark and Brooks want to change the narrative around cyber-attacks. In their experience, whenever someone falls victim to an online scam, they aren’t regarded with compassion like any other victim. Rather, they are blamed for falling for the scam.
Victims even blame themselves and often express shame or embarrassment. Neither Clark nor Brooks believes this to be the appropriate response. For them, the blame rests solely on the criminal behind the scam.
“I have a master’s degree in cyber security, and I’ve fallen for phishing,” said Clark. “It’s going to happen because we are trusting people. People need to recognize that they were trusting, not stupid.”
According to both Clark and Brooks, it doesn’t help that these attacks are consistently improving either.
Phishing attacks are way better now than even just last year. With the advent of something like ChatGPT, scam messages are getting harder and harder to detect. Many of these messages originate from outside the United States, and with the help of AI, scammers are capable of much greater linguistic nuance. With this in mind, the IT department will continue to send out information and resources regarding cyber threats, and they have the resources to organize fake phishing exercises for awareness in the future.
The most important thing for users to understand is that IT will never ask for passwords or logins, and neither will any other reputable business. Any suspected campus-related phishing attempts should be reported to the CC IT department.
