You’re a faculty member and it’s just a normal Monday morning. Your email inbox is filled with student emails asking about what homework they can make up, if their grades can be changed, or if class is going to be cancelled. In all of the clutter of such an inbox, one email asking you about a recent article you published seems like a welcome relief – someone is finally asking about something that matters.

After skimming the email and clicking a link that takes you to what looks like the UD login page, you enter your UDelNet ID and password without much thought. It’s been a busy semester after all.

You may have just been phished.

Scams that take advantage of a faculty member’s desire to share their research are frequently being used to harvest identities and credentials. A scam just like the one described above has been used at multiple universities in the past. In 2016, this scam was used to steal network IDs and passwords from both the University of Illinois and UD. Faculty at both universities saw similarly worded phishing email and realistic-looking login pages.

$3 billion in research stolen in ONE spear phishing campaign

Last month, the U.S. Department of Justice “announced charges against nine Iranians accused of stealing private data from U.S. universities, private companies and U.S. government agencies.” These hackers have used spear phishing to target five U.S. government agencies, 144 American universities, 176 foreign universities, and dozens of private companies. According to Lindsey O’Donnell at threatpost.com, these hackers used standard spear phishing to steal faculty members’ and researchers’ accounts: “Hackers would first research professors’ interests and the academic articles they had published, and then sent spear phishing emails to those targets.” The result? 30TB of academic data, $3.4 billion dollars worth of research, was captured by these Iranian, state-sponsored hackers.

Watch out for other faculty-related phishing scams

Research related spear phishing scams are not the only ways that criminals are targeting university faculty members. In November 2015 faculty at UD saw a morbid phishing scam that claimed a UD student had died. Because the email used official UD logos, more faculty fell for this scam. In an extreme case, last year phishing at a Canadian university led to staffers losing $9.5 million dollars!

Don’t be so flattered by emails that ask about your research that you throw caution to the wind.

  • Enable two-factor authorization on all your non-UD accounts.
  • Inspect links before you click.
  • Look for grammar and spelling mistakes, and unusual sender addresses.

Above all else,

Think B4 U Click!