Phishing Attempt Lures in Payroll Fraud Victims

By Jordan Unger

Several Youngstown State University employees may have noticed a strange request on their YSU emails last month. The email was a result of a phishing attempt, which led to the payroll fraud of employees on campus.

The email, which was sent to YSU faculty and staff, claimed to be from the Office of Human Resources. It directed users to follow a link and provide username and password information.

Twenty-nine faculty emails were compromised by the phish, and 15 employees’ direct deposit checks were transferred from their banks to foreign bank accounts.

The functions of the phishing email were deactivated within two hours of the first notification. Neal McNally, vice president of the Office of Finance and Business Operations, sent an email to the faculty and staff that fraud issues had been resolved and affected employees were issued paper checks for the pay period.

McNally said the incident served as a lesson.

“It does highlight the need for awareness and training to make sure people are increasingly aware of these threats,” McNally said. “They are becoming more and more sophisticated.”

Chris Wentz, associate director of Network Security at YSU, said awareness of these types of issues is significant for everyone.

“Cybercrime has become the most profitable mechanism for the criminal element,” Wentz said. “They’re going to hit you every way they can.”

Students and faculty should always be cautious when giving out personal information through email, he added.

“Know who you’re talking to,” Wentz said. “It’s the same thing with a phone call. If someone calls you out of the blue and starts asking you for things, you’re first tendency is to be a little suspicious.”

McNally said YSU will not ask for students or faculty to turn over username and password information.

“If you ever see anything like that, that ought to trigger a red flag right away that it’s probably not legitimate,” McNally said.

In the phishing email, the sender address came from a hotmail.com account, and Wentz said this is a first indication that the email was not from Human Resources.  Email users are able to hover their mouse over a link to see the web address that the link leads to.

Wentz said this is a great tool in detecting phishing emails.

“If [the web address] doesn’t say ysu.edu, more than likely it’s not going to be a legitimate [email],” he said.

YSU Network Security receives questions weekly to determine if an email is legitimate. The team reverses emails back to see if they come from suspicious locations.

Wentz said the recipient can directly ask human resources if they sent the email.

“It’s ok to do your own little fact check in the background just to get a sense of comfort,” Wentz said.

Sarah Davis, a YSU student who works on campus, said raising awareness for cyber threats is a smart idea.

“It will help us in the future to take steps to protect our information better,” Davis said.

Wentz attended a six-hour meeting on Sept. 21 with engineers from one of the emailing platforms at YSU to discuss rules and ways to slim down the phishing attempts that are delivered.

When filtering changes come in the future, he said it is important to find a balance between the phishing emails and good emails.

“We want to make sure we’re doing our best to protect the campus community without negatively impacting experience,” Wentz said.

Information on how to detect malicious emails and internet security can be found on the YSU Network Security webpage.