CCSF boost security against phishing attacks

By John Ortilla

A City College employee responded to a phishing email on April 15. An investigation determined the email account had compromised the Personal Identifiable Information (PII) of 7,500 students, prompting the Information Technology (IT) department to improve and enhance their security procedures and systems.

The college quickly sent an email about the incident to all students and letters by mail offering one year of credit monitoring to those affected.

“We received a phishing email directing users to click a specific link,” Field said. “We sent it back to the campus advising them to not click specific links, and IT would never ask users to log into any website.”

Phishing emails are constantly taking on new forms to deceive recipients into giving away their PII. They are an epidemic and one of the most common occurrences of digital attacks on the internet today.

“The college is always in constant and relentless attacks of phishing emails,” Chief Technology Officer Jay Field said.

To help counter phishing emails that gets through the filter system, employees have access to a video library that provides training courses on cyber security. City College continues to fight against phishing scams while educating students, faculty and employees on the evolution of phishing emails.

“Faculty and other employees send me examples of phishing emails that get through and we use those to block them once we are aware of them,” Field said.

For added security against the phishing attacks, Field mentioned adding a new software part of City College’s Office 365 package called Data Loss Prevention. Still in the early stages of testing, the program prevents emails with PII from leaving the school’s network.

“We will need time and staff availability to analyze the results and tweak the settings, run it some more and analyze [again],” Field said.

There is so far no set date for its implementation.

“We’ve made some fundamental changes to our IT systems to prevent similar incidents in the future,” Field said. “We added whole data encryption to our new and old laptops. For employees who have access to PII, we now require them to have a two-factor authentication in order to log into their email.”

Two-factor authentication is a security measure requiring a code from a user’s smartphone to log into their email account. If the user does not provide the code, they can’t access their account.

“In an event that a user responds to a phishing email and receives their credential, the hacker would not be able to open their email as a code is required to open the account,” Field said.

While campus IT efforts have strengthened the college’s email security, both students and faculty should maintain a certain level of caution with unfamiliar sender addresses.

“I’ve received plenty of phishing emails and the campus has been good on keeping us up-to-date about these emails,” public speaking instructor Joanne Babin said. “But it’s also our responsibility to know if the emails we get are fake or real.”