Phishing attack hits several BGSU employees in pocketbook

By DAVID DUPONT

BG Independent News

Four university employees recently had their banking information hacked, with three having their pay redirected, and one of them had a fraudulent tax return filed by hackers.

John Ellinger, the university’s chief information officer, reported on the incidents at Tuesday’s Faculty Senate meeting.

He did not notify campus through a mass email because he did not want to tip off the hackers about how the university was responding.

He assured the senate that no university data had been accessed. However, the way that information could be endanger is if hackers find a pathway using personal data of those who have access to university information.

Ellinger said the problems began in January when the employees – three faculty and one staff member – clicked on a phishing e-mail originating from an account at Texas Tech. The e-mail subject line read “get you pay here.”

With that connection, he said, the hackers were able to shadow the accounts. None of the four had completed the new Duo security protocol being implemented on the university’s MyBGSU system. As of today everyone will have to have signed in the two-step authentication process to access MyBGSU.

Using information culled from the shadowing, the hackers were able to get onto MyBGSU and set up Duo accounts. Once there, they changed the routing for the employees’ direct deposits.

Ellinger said that unlike in the past, these hackers were astute enough to send the paychecks to four different accounts set up at four different overseas banks to avoid detection. They used burner phones with four different area codes to supply the needed telephone number.

One employee discovered the change before the pay was rerouted, three, however, did not and only realized the problem when their pay did not appear in their bank accounts.

The university was able to make those employees whole. However, the hackers did file a tax return for one employee, who “is now in limbo land where the IRS has to determine who is authentic,” Ellinger said.

Ellinger said that the incidences of compromised accounts “where someone has given away their password” to a hacker, is skyrocketing. In 2015, the university had 250 compromised accounts. In 2016 that number jumped to 1000. In 2017 already as of March 14, 450 accounts have been compromised.

The activity has spiked in the last 90 days in institutions around the country, Ellinger said. His only explanation was that there is money to be made through phishing by waylaying pay and tax returns and by stealing personal data, including Social Security numbers, that exposes someone to other forms of fraud.

He said that BGSU is the first Ohio public university to make the two-step authentication required for access to its system.

Compliance was 95 percent as of Tuesday afternoon, and more are signing up.

Some accommodations are having to be made for those without cell phones or computers. There are grounds crew staff who are in that situation, he said.

Ellinger said he was pleased with the progress until another phishing attack occurred Saturday, and 125 people clicked on the e-mail. The IT staff has since cleaned up those accounts.

It’s hard for an individual to tell they are being shadowed. If there’s any doubt, Ellinger said, “change your password.”

“We’re doing our best to keep the bad guys out,” he said, “but they’re getting smarter. They’re getting better.”

Matthew Haschak, who works in security and infrastructure for Information Technology Services, said: “We’re building a wall but the bad guys always try to find a way around.”

Ellinger said here are no “100-percent guarantees.”

“We’re just trying to make it harder to get in.”

The next step is to look at the email system to see how it can be made more secure against phishing.