(Emma G. Schaible / Fourth Estate)
Chief Information Security Officer Matthew Dalton discusses increase in phishing emails
BY ANDREW T. YARBROUGH, STAFF WRITER
“Scam artists have existed for thousands of years, and the internet just gives them another platform to do it,” said Matthew Dalton, Mason’s Chief Information Security Officer.
Recently, George Mason students have experienced a significant surge in targeted phishing emails, urging users to click fake links claiming to have information on job opportunities, ICE sightings on campus and security alerts.
These links are designed to steal NetID credentials. Information Technology Services is attempting to address the issues.
Dalton explained the recent uptick is related to the time of year.
“You will always see an increase in phishing in [the] late February to late March time frame, because it’s tax season,” he said.
Dalton described an ongoing battle between those phishing and those defending against it. Scammers learn about the security controls installed in a system to prevent malicious emails and look for ways around them. Once they find a way to get around those barriers, users notice another uptick in phishing attempts.
Phishing schemes can be identified by three characteristics: First, scammers make an attempt to establish trust; someone might send a message pretending to be in a position of authority, including claiming they are from IT Services or the GMU Police.
Secondly, phishing emails are characterized by a lack of timeliness. They encourage urgency, but feature no clear timeline of when actions need to be taken by the receiver.
Finally, scam emails utilize something of value to the receiver, with lines such as ‘We see something wrong with your account, click this link.’
To protect themselves from scams, students should be wary of spacing or grammatical errors inside the emails they receive. However, Dalton noted that may not always be the case anymore due to the onset of generative AI.
“Take a look to see who [an email] actually is from. If it says they’re them, but it’s coming from a Gmail address … think twice; stop and think about what this is.” Dalton said.
It is critical to pay attention to the links inside emails as well.
Links in emails claiming to be from the university, which solely relies on Microsoft as a vendor, should not take users to a Google Doc.
Dalton said students should report suspicious emails to Information Technology Services. This allows ITS to confirm the scam and send out a proactive email to anyone who may have received it to minimize its impact on the Mason community.
ITS is helping Mason be more aware of phishing attempts by utilizing phishing inoculation, also commonly referred to as an attack simulation by Microsoft.
This software simulates phishing attempts, but once a link is clicked on, it will prompt receivers with a message with information about phishing attempts. By regularly doing these training sessions, rather than one yearly training session, users stay informed and more aware of tactics that scammers may utilize.
ITS has launched a multi-faceted effort to spread awareness, having posted information on social media and posters on campus in addition to the frequent simulations.
However, phishing only plays a small role in cybersecurity. To best protect themselves online, users should run the latest operating system, keep their applications up to date and make sure that they have installed anti-virus software.
Dalton recommended that users make sure that their accounts have an encrypted password or a set passkey. He also recommended that users utilize OneDrive, which is offered by GMU, or have an external hard-drive to back up files.
Dalton warned against too many restrictions.
“We want to make sure that we are finding that sweet spot of protecting everybody, but not to the point we’re restricting them … people aren’t here in order to not get phished, they’re here in order to learn.”
Being cyber-aware is critical when dealing with phishing emails. ITS provides information and examples about phishing on its website, along with general security best practices and even a recommendation for anti-virus software.
