Don’t Take the Bait: Defending Institutional Data From Phishing

Since 2005, educational institutions have publicly disclosed more than 1,800 data breaches. Nearly half of these incidents were the result of hacking, malware, or phishing. With the rise in remote learning and increased reliance on technology, the FBI, and attorneys general allege that scams including phishing are on the rise. Phishing is a type of email attack in which a scammer attempts to obtain confidential information for malicious reasons by posing as a trustworthy entity. This is typically achieved by sending email messages with a forged sender address — a practice known as spoofing.

While educational institutions are common targets for phishing attacks, there are steps you can take to minimize the risk that the attack will be successful, reducing the likelihood of litigation.

Two United Educators (UE) claims highlight the risks associated with phishing-related data releases. An HR administrator received what she thought was a legitimate email from the university’s President, requesting the W-2 form of every employee. W-2 forms contain confidential personal information, including an employee’s name, mailing address, income, and Social Security number. The email header displayed the President’s name, although the actual sender’s email address was a few characters off. Unfortunately, the administrator sent unencrypted PDF files containing the W-2s of more than 1,300 current and former employees. An HR administrator at another institution responded to a similar email, compromising the sensitive information of approximately 3,000 employees.

Each of these successful phishing attacks resulted in numerous instances of identity theft, including fraudulent tax return filings, attempts to open credit card accounts, and an alleged attempt to open a mortgage in an employee’s name.

Keep Your Institution (and Data) Secure

Consider the following strategies to help your institution minimize the risk of a phisher taking your data:

• Provide cybersecurity training, like UE's Data Security Course Collection, at least annually for employees with access to sensitive information. Train other employees periodically. 
• Implement information-transfer protocols such as following up on email requests with a phone call to, or preferably, a face-to-face conversation with the person requesting the confidential information.
• Spread awareness of these schemes. Consider warning university employees and/or students about known phishing attacks as soon as possible through appropriate email lists or social media.

Remind employees to watch for an increase in phishing requests just prior to tax season.

Shortly after the two universities mentioned above notified employees of the data breaches, class action lawsuits were filed, alleging breach of contract, negligence, invasion of privacy, and unfair business practices. Since not all claimants actually suffered identity theft, the lawsuits allege damages based on the potential harm caused by the ongoing increased risk of identity theft enabled by the data breaches.

You Took the Bait. Now What?

If your institution does fall victim to a phishing attack, you can take these steps to minimize the impact and decrease the likelihood of litigation:

• Notify those whose information has been released as soon as possible. Most states have compulsory data breach notification laws. The applicable requirements depend on the residence of affected employees, not just the institution’s home state. Be sure to follow all statutory requirements and work with experienced counsel when deciding how and to whom to give notice.
• Consider providing credit monitoring services to affected employees and set up hotlines for concerned employees to call for assistance.
• Inform appropriate law enforcement authorities of the crime, even if it is unlikely they can track down the fraudsters. State statutes allow institutions to delay notification if law enforcement determines it will impede the investigation.

More From UE

Protecting Student Data Privacy in a Remote Learning Environment

Data Security Course Collection

Additional Resources

Criminal Marketplaces Are Selling University Login Credentials

Cyber Security and Infrastructure Security Agency: Alerts #StopRansomware

Privacy Rights Clearinghouse: Chronology of Data Breaches