“Free software training for students!”
“Congrats on your acceptance to the Honor Society.”
“Last chance to enroll in SHIP!”
What may appear to University of Wisconsin-Madison students as legitimate mail may at times be hackers and scammers seeking to capitalize on their personal information.
Through technological innovation and widespread access to mailing lists, spam email campaigns are making their way to the top of UW-Madison students’ inboxes. Compounded with federal and state laws that protect and grant third party vendors unfettered access to UW students’ information, spam has made its way into UW student’s emails.
What is spam and who sends it?
Spam are unsolicited, bulk messages often sent for illegitimate and fraudulent purposes. Spam may take the form of businesses marketing their services or a counterfeit email requesting sensitive information.
The latter, called phishing, utilizes fake emails or sites from established institutions — such as banks or schools — to lure recipients into providing personal information. In phishing, money is often the end goal.
“They’re wanting you to do something you wouldn’t normally do, and they want you to do it right away,” UW-Madison Chief Information Security Officer Bob Turner said. “You click on a link … and all of a sudden you hand over your identity to them.”
Hackers and scammers gain access to email accounts through a variety of means, according to Dave Schroeder, a cybersecurity expert in UW-Madison’s Division of Information Technology.
This includes phishing itself, hacking into compromised accounts to send mass emails or simply downloading email lists off websites.
“Sometimes they will just guess common name and initial combinations … or they may use automated tools to try to extract email addresses from public web sites or the UW directory,” Schroeder said.
From individual hackers and cyber-criminal organizations to businesses and nonprofits — any third party can send out spam emails, according to Schroeder.
In a weekly report that ended on Sept. 6, UW information security detected 1,459 phishing alerts, according to Turner.
That’s a “light week,” Turner said. Spam and phishing typically experience an uptick at the start of the school year.
While the majority of illegitimate mail is removed, scammers and third-party entities think of new methods that enable their messages to slip through the cracks.
“We can’t catch them all because spammers are clever,” Turner said. “Criminals are very clever in the way they do things.”
Required by law
The easiest way for spammers to acquire UW-Madison email addresses is to go to the source itself.
Bound by federal and state law, the UW Registrar regularly shares student information to third parties.
The Federal Education Rights and Privacy Act enables institutions of higher learning to maintain student privacy by designating certain pieces of information as directory (public) or non-directory (private), according to UW Registrar Outreach Specialist Scott Owczarek.
Currently, UW-Madison lists names, phone numbers, enrollment status and email addresses, among others, in their directory.
Faculty and staff along with registered student organizations typically request mailing lists to offer research opportunities or to advertise club activities. Third parties, however, have access to the same information.
Under FERPA, schools may release directory information — including email addresses — to public entities or anyone that requests the information. Institutions retain the right under federal statute to review requests and determine if they want to provide student information to a third party.
In Wisconsin, however, schools are required to release the information without any stipulation or inquiry.
The Wisconsin Open Records Law declares that “all persons are entitled to the greatest possible information regarding the affairs of government and the official acts of those officers and employees who represent them.”
UW-Madison is considered a government agency, which requires the school to adhere to the law, according to Owczarek. As a result, third party entities and scammers can freely obtain UW student information without any justification or accountability.
How students can protect themselves
To protect their privacy, students can log onto their Student Center and fill out a FERPA restriction request or third-party hold.
After students change their settings, the Office of the Registrar can then withhold student information, particularly from businesses and RSOs when they solicit mailing lists.
These changes, however, cannot be used on a case-by-case basis. By restricting information, students can exclude themselves from opportunities such as a state legislator congratulating them for making the Dean’s List, according to Owczarek.
“You can’t pick and choose,” Owczarek said.
According to Turner, UW has multiple security layers within its Microsoft Office 365 service that includes scanning for malicious email attachments, electronic signatures and other network tools that organizations protect themselves with.
But it ultimately is an individual’s responsibility to be wary of suspicious emails.
“It is truly a cat-and-mouse game, with attackers trying to stay one step ahead,” Schroeder said. “Many levels of security controls are in place, but each individual is the last line of defense when it comes to cybersecurity and security of your personal information.”
