Correction appended.
Ohio University has implemented multiple safety measures in order to decrease the amount of phishing email attacks against OU faculty and students.
The first security updates were implemented on March 9, which were a part of OU’s bigger plan to increase its security measures, according to its website. The changes were put into place after a recent round of phishing emails were being spread throughout the university.
The most visible change is that the login page for OU websites has changed, which now requires students and faculty to enter their full email address when signing in. Craig Bantz, chief information officer at the Office of Information Technology, said those changes were made in light of the third mass round of phishing OU has seen in the past six months.
“It’s been a problem high education as been dealing with for … years now,” Bantz said.
The new sign-in page will further protect users through multi-factor authentication, Sean O'Malley, communications manager at the OIT, said. This feature, however, is still being worked on for students, and more information on multi-factor authentication will be released when available.
“Multi-factor authentication adds phone or mobile app-based verification to your login,” O’Malley said in an email. “Once that feature is enabled, a successful login will require both a correct password and access to a specific phone or mobile device, making it more difficult for a scammer to access an account after tricking the owner into giving their password away.”
OU saw over 300 email accounts compromised as a result of phishing during the week of Feb. 24, Bantz said. In what Bantz calls an “arms race,” staff spent over 1,000 hours working on blocking about 180,000 phishing emails.
The new sign-in page, along with the usage of Microsoft’s Safe Links, aims to reduce those numbers.
O’Malley said the university is using Safe Links because the department knows how important email is on a college campus. The system uses artificial intelligence technology to verify the safety of a website before the user opens the link.
“When an email recipient clicks a link, Safe Links scans the site and displays a warning message if the site tests positive or if it is on a list of known scam sites,” O’Malley said in an email. “OIT security staff can update that list on the fly, making it possible to block attacks as soon as we become aware of them.”
Safe Links also allows OU to provide website alternatives, Bantz said. If Safe Links finds a website to be unsafe for the user, the program will redirect the link to an educational and safe website. Safe Links, combined with the new login, should help with phishing problems overall, Bantz said.
Bantz said he suspects this will reduce phishing emails by 95 percent.
The waves of phishing OU has seen follows the typical pattern of phishing emails. It has been a rising problem during the Spring Semester, O’Malley said.
“Phishing scams are a consistent problem, with short term increases happening during specific times of the year like tax season,” O’Malley said in an email. “We noticed such an increase earlier this semester.”
More changes will come to further protect all OU accounts from phishing messages, according to OU’s website. Multi-factor authentication will be possible for all users, not just faculty members. Faculty members will no longer be able to forward emails to external accounts and will modernize its usage of apps in order ensure the latest versions of apps are being used for security purposes.
Correction: A previous version of this report incorrectly stated that faculty members will be able to forward emails to external accounts. The article has been updated to reflect the most accurate information.