Instrumental music taken with permission from Chad Crouch, License

Students and faculty at the University of Connecticut might want to rethink how they store their passwords after two phishing scams this year tried to solicit money through emails.

A phishing scam is a way that someone attempts to get you to release your personal information like usernames, passwords or bank information through email, according to the UConn Information Technology Services website.

Back in November 2019 and again in February, students received phishing emails asking for bitcoin. Their passwords also could have been included somewhere in the message.

So how are scammers getting students’ passwords?

“Because you give it to them,” said Vice President and Chief Financial Officer Michael Mundrane. He said you are the only person that knows your password, unless you’ve done something that could let it fall into the wrong hands.

“You’ve either given it to somebody who wasn’t careful with it, which you’re not supposed to do, or you’ve used it in multiple places and one of those places you’ve used it really doesn’t practice very good network security and they actually store your password when they shouldn’t,” he said. “UConn doesn’t store your password at all.”

No one is able to break into a UConn machine and find passwords to NetIDs, because they are not there, Mundrane said. That is why when you email ITS after forgetting your password, they cannot recover it and instead send you a link to reset it.

Although ITS has added a new banner to emails sent outside of a UConn server to alert students of possible spam or phishing emails, Mundrane said students and faculty alike need to be vigilant in their vetting of emails that come through.

“Every student should be thinking, ‘why did I just get this contact,’ and if it’s an unexpected contact they should be very, very careful, and especially when you add on top of that if it’s an usual request…” he said.

ITS can go in and remove phishing emails from faculty mailboxes that are used in Office 365, but not from students as those emails are in Gmail. Still, it’s not always easy to spot incoming phishing scams.

“The moment we are notified, we notice that a scam is happening, we start to take action,” Mundrane said. “But the problem with these scams is there’s nothing about them, technically, that’s problematic. You send an email to someone, what’s problematic about that? Nothing.”

He said while there is no software that can be downloaded to prevent these incoming scams, there are ways to keep passwords safe.

“In fact, ideally what you should do is use something like LastPass, or something like that, which actually will hold your passwords so then you can create a hard, unique password for every online account you have,” Mundrane said. “And then all you have to remember is one pass-phrase to open up your LastPass activities and it will do the passwords for you.”

Web-browser extensions like LastPass can securely store passwords without any websites actually keeping them in their systems. But having good judgement is always the best defense against phishing scams. 

“What they’re relying on is people lowering their guard and actually trying to be nice, that’s what they’re relying on,” Mundrane said. “Good nature.”

About The Author

Related Posts