Growing Number of District Email Accounts Compromised By Phishing Attacks
Over the past month, Contra Costa Community College District (4CD) students and faculty have been inundated with phishing emails from compromised student and employee accounts, according to the district.
The vast majority of phishing emails contain links to forms that request individuals’ personal information.
The recent outbreak of scam emails is the latest in a series of community college security breaches that have taken place since last year. A 2021 EdSource survey of California community colleges found that “hundreds of thousands of dollars were lost to scammers who fraudulently applied for financial aid,” and the actual figure could be even higher.
Tim Leong, 4CD’s director of communications, said in an email to The Inquirer that the district is working with Microsoft to disable compromised accounts.
The district has not released an official statement addressing the attacks, but Leong said that “everyone needs to be more careful when responding to suspicious emails.”
Currently identified phishing emails include subject headers such as “TOP URGENT: Invitation To Participate In $6,000 Free Scholarship Program” and “Employment Opportunities at UNICEF.”
Leong added that all students, faculty and district employees using @insite.4cd.edu email accounts should be careful when clicking any links or attached forms, even when they believe they’ve been sent by people familiar to them.
In an emailed response to The Inquirer about the rise in phishing attacks, Satish Warrier, 4CD’s director of information technology, said that across the district, “on average, one student account is compromised per day.”
According to Warrier’s estimates, some 30 student accounts are currently compromised. He said some district employee accounts were most likely hacked due to weak passwords or passwords that were shared with the individuals’ LinkedIn or T-Mobile accounts.
Both companies had account data that was recently compromised.
Warrier addressed the increase in phishing emails in a Mar. 8 district Zoom call, where he spoke about the need for multi-factor authentication, or MFA, to better secure the district’s accounts.
Current MFA systems being considered by the 4CD include text messaging unique, six-digit codes as a requirement for logging in, or implementing the Google Authenticator app, which serves the same function.
Warrier said these changes were requested by 4CD’s insurance companies and auditors, which view multi-factor authentication as an industry standard.
The push for increased cybersecurity coincides with a recently proposed $100 million funding plan from the state that would allow California community colleges to increase cybersecurity staff and upgrade security software.
According to Warrier, the new MFA standards will first be implemented at the district level.
In the meantime he urged caution, asking that individuals not respond to emails that appear “too good to be true,” as doing so compromises the individual’s account and enables the scammers to continue committing fraud.
“These compromised accounts are used to send out more phishing/spam emails to fellow students and employees,” he said.