Mustang Daily Staff Report
Cal Poly sent an email to faculty, staff and students on Wednesday after receiving an influx of phishing emails, or email attacks targeting Cal Poly users, this past weekend.
“There were about 25 compromised campus email accounts (this past weekend) that the school knows about,” Policy and Complaints officer for Information Services Mary Schaffer said. “Generally the purpose is to send more spam emails using the hacked account, there has never been any identity theft as a result from these emails that we know of.”
Schaffer said universities are often the target of these spam emails; they generally occur at times when a large introduction of new students is expected, such as when a new school term begins or ends.
The last time a large number of campus accounts were compromised was August, Schaffer said.
“A lot of the time they won’t even realize that we are on the quarter system,” she said. “This might have been, in their minds perhaps, the start of the spring semester.”
Cal Poly users will never be asked to report their email, password or any personal information to a non-calpoly.edu link or website, and students should be aware of messages containing links to click on that claim to be from Cal Poly, Schaffer said.
According to Schaffer, the body of these emails will commonly display a link that says “click here” or appear to be from a Cal Poly address — but if you hover the mouse over the link, it shows a different URL.
The false addresses claimed to be from various campus services such as Cal Poly Security Support, Cal Poly Email Support, California Polytechnic State University, California Polytechnic Support, email@example.com, firstname.lastname@example.org, System Administrator, Admin, Webmail Technical Support / Fraud Prevention Unit, Webmaster Centre and so on.
The links then lead to a non-calpoly.edu web form, such as a Google Doc, and ask the user to leave their username and password to avoid losing access to their Cal Poly email and services.
The email reminded users that ITS will only send reminder emails to update passwords once a year, but will never ask you to input a private password or personal information unless through the official Cal Poly portal.
Cal Poly users are no stranger to bogus emails and the school has a list of previous spam mail messages that have been sent out at its security website.
Past bogus emails have claimed to be: termination notices from security services, security support alerts, server upgrade notifications, email fraud notifications, mycalpoly.edu account retainment messages, anti-virus updates and exceeding email account storage limits.
Users should take notice of emails with fake Cal Poly signatures such as email@example.com, my.calpoly.edu.portal@calpoly.
Green said users who are not sure whether an email is actually from Cal Poly should call the ITS service desk where they can help identify the email.