Undergraduate students received an email from the Dean of Students regarding an “active phishing campaign” believed to be targeting the Vanderbilt university community on Nov. 2 at approximately 9 p.m. CDT. The email detailed temporary changes in DUO security measures to log into their student accounts.
The email stated that students could no longer enter a mobile password to authenticate their account; rather, they had to use the “push” option to verify their identity via a notification sent to a phone or alternative device. An Oct. 25 MyVU News article about strengthening cybersecurity and combating phishing explained the intentions of these attacks.
“The fake email is designed to trick you into clicking a link or downloading an attachment to steal your personal information or infect your computer,” the article reads. “This information—such as usernames and passwords—can then be used to compromise an entire organization’s network.”
Several students reported receiving a fraudulent email on Oct. 31 that made it past the university’s email spam filter. The email—which said it was from Vanderbilt University and had a vanderbilt.edu return address—had a Microsoft 365 header and a link to supposedly reset their password. Sophomore Samantha Baker reports receiving an email with the Microsoft heading; however, she uses a personal email for her Microsoft account, so she suspected it was a scam.
“My computer warned me about it and said it seems unsafe,” Baker said in a message to The Hustler. “It wasn’t from VUIT.”
Sophomore Megana Atluri reports she does not remember receiving any fraudulent emails in her inbox on Oct. 31. However, both she and Baker received an email from VUIT Communications at around 2:30 p.m. CDT on Nov. 2 instructing them to change their passwords by 3:30 p.m. CDT. This email was followed up by an email from the Dean of Students as well as a university text message emphasizing students must reset their passwords immediately.
“VUIT Security has detected an active phishing campaign targeting the VU community, which potentially compromised your account,” the VUIT email reads.
Atluri contacted VUIT after receiving the email to confirm it was not fraudulent. They assured her it was real and told her to change her password.
“I’m just really confused because I feel like everyone’s saying something different,” Atluri said in a message to The Hustler. “I hope I didn’t sell my information because I just followed what the VUIT person said to me.”
On Nov. 3 the university released an article titled “Prepare for upcoming email security enhancement,” informing students and faculty of future Vanderbilt email policies. These guidelines aim to ensure all messages sent to Vanderbilt email accounts are authorized.
“Vanderbilt University will implement an email security enhancement in January 2022 that will help ensure VU email accounts stay safe and secure by preventing spoofing, a practice used to forge the ‘from’ address of an email message,” the article reads.
This change will affect those attempting to use email to reach a mass audience. Per the article, students will only be able to use MyEmma—and not third-party resources like MailChimp and Constant Contact—to email a mass audience. Students with concerns about this policy change are encouraged to schedule a meeting with VUIT.
On Nov. 3 at 11 a.m. CDT, MyVU News released another article titled “Cybersecurity Alert: Campus-wide phishing attack,” addressing what appears to be a different phishing email sent to “multiple” Vanderbilt email addresses.
“The email has the subject line ‘Covid Test,’” the article reads. “Do not open this or any emails from unknown senders, and do not click on or open any attachments.”
No details about the contents of this email were revealed in the article; however, it outlines how to report phishing on Outlook Mail and gives an email to report phishing for people using other platforms. It further informs students to look for a “suspicious sender,” “impersonal greeting or closing,” “sense of urgency” and/or “grammar and formatting” to determine potential phishing.
These same reminders were also sent in an email to the Vanderbilt community by Vice Chancellor for Finance and Information Technology and Chief Financial Officer Brett Sweet. However, the warning email was mistakenly sent to students’ spam folders as opposed to their inboxes.
Sweet and Provost and Vice Chancellor for Academic Affairs C. Cybele Raver announced on Sept. 13 that one of their primary goals for the 2021-22 academic year was to improve campus cybersecurity.
“Cybersecurity is increasingly critical. We have seen an unprecedented wave of attacks against vital infrastructure, global corporations, medical centers and clinical labs, and certainly in higher education,” Raver said in a video attached to the announcement. “At Vanderbilt, we have a shared responsibility to secure our personal information and also protect the university’s vital data and research.”
Sweet noted in the video that universities are becoming a “target” for cybersecurity attacks and thus the university is embracing six core principles regarding cybersecurity: “secure and protect data,” “promote resilience to cyber-attacks,” “commit to information security as a shared responsibility,” “ensure no harm is done to academic and research mission,” “fulfill our duty towards community and society” and “foster education and awareness.” In 2019, the VerifyU program implemented multi-factor authentication and novel antivirus technology to heighten security, and in Nov. 2020 VUIT stated they work to prevent over a million cybersecurity attacks every day.
This story will be updated as more information becomes available.
