In a recent advisory, the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) warned higher education institutions about sophisticated phishing attacks that target faculty and staff credentials to access payroll information, and in at least one case, insurance policy information. The attackers are closely researching institutions’ systems and practices to spoof e-mails and web portals to trick users into providing credentials to access universities’ and colleges’ payroll information. Universities and colleges should view this warning as an opportunity to improve their anti-phishing training and examine their cybersecurity policies.

The phishing attacks described in the REN-ISAC notice target university faculty and staff whose e-mail addresses can be “scraped,” or harvested, from public campus websites. The victims receive an e-mail purporting to be about a change in salary from the university’s human resources department, and they are instructed to follow a link to review information about salary changes. That link connects to a web page that spoofs the university’s human resources or payroll portal and collects the victim’s login credentials. The attacker then uses these stolen credentials to change the victim’s direct deposit settings to reroute payroll deposits to the attacker’s account. These types of attacks appear to be well planned and highly orchestrated, as they very closely mimic university images, URLs, and were often sent during faculty review periods.

REN-ISAC suggests universities make several changes to defend against these latest phishing attacks. These prevention techniques include:

  • Using two-factor authentication or virtual private network requirements
  • Alerting users when direct deposit information has changed
  • Redacting sensitive information available to the user in online systems to prevent the loss of additional personal information
  • Implementing systems to identify suspicious transactions in payroll systems, such as transactions routed to unusual geographic locations or users with duplicate account numbers

Phishing attacks remain some of the most common cybersecurity threats. While these specific attacks targeted payroll information, user credentials obtained through phishing attacks can be used to compromise other parts of an institution’s network, which may contain sensitive personal information, intellectual property, or other confidential data. Educational institutions can protect themselves, their employees, and data by regularly reviewing their information security policies and practices. These practices should include training faculty and staff on information security, including how to identify phishing attacks. Additionally, institutions should take advantage of cybersecurity information-sharing organizations to receive information on the latest cyberthreats.