“Typically, the most important and devastating vulnerability a company can have, is its very own people. The human factor, or error, is responsible for 95% of all security incidents.
There are significant correlations resulting in lowered susceptibility based on college affiliation, academic year progression, cyber training, and age demographics. Approximately 59% of people who opened the phishing email clicked on phishing links, and approximately 70% of those subjects additionally interacted with the phishing site in some way.”
We are all aware of an incident that occurred at Tygerberg Campus recently when several colleagues got an urgent email, from Prof Jimmy Volmink – our dean – asking “Do you have a minute?”
Several responded to the initial inquiry, thinking that it was a bit unusual for the dean to communicate in such a way, but felt that they had better keep in his good books and acquiesce to his request, and asked him how they could assist.
They soon got a response from “Prof Volmink” asking “Are you available right now?” and started asking if they could do him a favor.
This was out of character, and immediately suspicions were raised, because this e-mail was not sent by Prof Jimmy Volmink.
Tygerberg Campus had become the target of a phishing scam – one that targeted faculty members at several South African universities exploiting the ability of senior academics to get some quick cash using their junior employees.
In this scheme, phishers pose as deans and department chairs, asking personal assistants and administrative staff to purchase gift cards for iTunes or Amazon, or to “lend” them some money.
Often early in the exchange, the scammers often say they are “in a meeting” or waiting at the airport, and this often eases initial suspicions as deans or department chair always have long meetings, or are traveling. There are often promises to reimburse the victim soon.
The sender’s email address often does not raise red flags because, in many cases, the scammers have created a fake email account that includes the name of the person they impersonate. (for instance, in this case jvolmink.sun.ac.za@outlook.com was used, which very similar to a typical university e-mail address.)
Many people would disregard this as an attempt to make some quick cash off of a gullible university employee, but the scam hits many faculty members in an especially vulnerable spot – their desire to please their bosses.
For me it highlighted the ingrained “power differential” within academia that junior personnel are often motivated to respond to even unusual requests.
Prof Volmink found the scam to be creepy and a bit scary. His immediate concern, was that his faculty or staff would be hoodwinked as the scammer used his name, even down to the fake e-mail address.
Publicly-viewable listings of department faculty and contact information are at many universities, and this can be a security vulnerability. All the scammers need is to catch a small percentage of targets on an off-day because they e-mail so many people.
Junior faculty members might be constantly thinking: “What can I do to make my boss like me and keep me in their good books?” Buying Amazon gift cards, or wiring some money is much easier than the tasks we should be doing. This is why this particular phishing scam was so successful.