ITS addressing increase in spam emails: FSU IT department working to tackle phishing and strengthen cybersecurity

FSU’s Information Technology Services (ITS) department plans to implement new “next-generation” spam-filtering software over the summer to combat an increase in spam emails, according to Mike Zinkus, director of systems and networking. 

For 12 years, the University has been using a system called the Barracuda Spam Firewall to combat spam. But now, ITS is exploring new options, such as Mimecast or Proofpoint, which Zinkus said are cloud-based and more advanced. 

Zinkus added ITS is also looking at additional methods of protection, such as Cisco Umbrella, which makes the spam emails that do slip through filtering software “inert” by blocking dangerous links and other attachments.

He said, “Realistically, the goal and the timeline is to have it in place over the summer, so when everyone comes back next fall, it will be in place.” 

ITS does not anticipate many additional costs with the new software. Zinkus said, “We have Barracuda, which is a physical appliance that sits on campus, and there’s annual recurring costs for that. A lot of the new products are actually cloud based, so there isn’t something physical on campus. In some ways, we’re trading the cost of one for the other.”

He added, “The cost is dependent upon the product we go with, their licensing model. … To say exactly what [the costs] are at this point is a little difficult. But for the most part, it should be in line with what we’re already paying. We’re just reallocating existing monies to cover that.” 

Throughout the semester, students and faculty have been receiving fraudulent emails in their school accounts. The messages seem to be coming from FSU accounts and sometimes even refer to campus clubs or email groups, such as those for Security Desk Attendants. 

On Jan. 17, a mass email was sent to FSU students that appeared to be from Linda Vaden-Goad, provost and vice president for academic affairs. 

The University’s ITS office emailed students to warn them the email was fraudulent and contained an attachment that could “compromise” students’ user accounts and computers. 

Nora Ingram, a junior, is currently studying abroad in England. She said, “I got hit with a spam email and then my account started bugging out. I ended up sending at least 1,000 emails worth of spam. It took me a few hours to stop the spam after resetting my password multiple times.” 

She added, “I haven’t been able to send emails through my FSU email since then, but I receive both important emails and even more spam emails.”

In December 2018, hackers stole over $800,000 from Cape Cod Community College using a virus that likely got into the system through an unsolicited email, according to Campus Safety Magazine. 

Zinkus said, “Shortly after that incident is when Framingham State started to see an increase in targeted phishing attacks. I do believe the two are related.” 

He added, “What happens in that scenario is, they go, ‘OK, so it worked at Cape Cod Community College – let’s look at the other higher ed institutions in Massachusetts.’”  

He said, “Luckily, we haven’t been breached to that capacity, and I don’t think we will be. We have a lot of controls in place to mitigate that.” 

Zinkus said there are spam emails and phishing emails, which “are typically when you get an email that’s looking for some sort of information from you,” such as usernames, passwords, or bank account information. 

Phishing emails have now “evolved” into something called “spear-phishing” emails, which are more targeted. 

“They’ll have somebody that searches the website of the university and gets a username and password for someone who is higher up in the university, and then they spoof that and try to make it look like it’s coming from that individual,” Zinkus said. 

He added often, these emails are not originating from accounts in the FSU system. “If you were to do a mouse-over on it, it would show that it actually came from Gmail. … That’s the majority of what we’re seeing.”

The targeted nature of the attacks makes it more difficult for spam filtering software to target and block the emails, so sometimes, the University has to be more reactive than proactive in warding off spam. 

Zinkus added these kinds of attacks are an industry-wide problem, not something specific to FSU. 

He warned the University would not be asking for usernames or passwords in an email, so if an email appearing to be from the University asks for that information or directs to a login page, it is likely spam. 

Roy Galang, information security officer, said, “Cybersecurity is a group effort.” ITS works to block these emails, but students and faculty also need to be diligent about what they are opening.

He said, “I’d be very careful about emails – that you don’t expect – that ask you to do something,” such as input personal data, share a username or password, or buy a product. 

Galang said if students interact with these emails, they should immediately change their passwords and report the incidents to the IT department. 

“They are trying to defeat how we defend against them,” he added. “Some of these things aren’t technologically discoverable. The only way that we learn about them is if you tell us about them.”

Madison Rosbach, a senior, said, “I take my school email a lot less seriously than I used to. I check a lot less because I know it’s all going to be spam. I don’t have my phone notifications on anymore, because what’s the point? And I’m worried important messages are getting buried in spam.”

President F. Javier Cevallos said, “I understand how exasperating it is to deal with so many scam emails. The perpetrators are getting better at disguising their true identity. They use names that are familiar and even use real signature files stolen from our e-mails.”   

He added, “Our IT department folks do the best they can to stop them, but the best defense we have is to be extra cautious about opening any attachment or clicking on any link unless you are absolutely certain it is safe.”

Galang said while it may seem like there are many spam emails, ITS does a lot of work to block them. “Of the 20 or 30 or 40 or 50 spam emails that you do see, there are thousands that you don’t see.”