Officials said a “malicious intruder” accessed the GW Directory last week and launched a “phishing attack” on users in GW’s web portal, the latest in a string of scam emails targeting GW students, faculty and staff since mid-December.
An email sent by GWIT on Feb. 1 said the intruder obtained first and last names, departments and positions, GW email addresses, office phone numbers and campus addresses of students, faculty, staff and alumni. Officials said a series of phishing emails over the last several months masquerading as GW community members have promoted false employment opportunities, payroll updates for faculty and enrollment for 2023 insurance benefits.
The intruder did not compromise any personal information, and GWIT eventually blocked the unauthorized access, according to the email from GWIT.
“We apologize for the impact this cybersecurity incident may have on you,” the email states. “An investigation is underway, and GW Information Security continues to actively monitor for any suspicious activity.”
Officials said in the email they have contacted the users who received phishing emails. Students are only hired for GW student jobs through official channels like GW Career Services at [email protected], and students, faculty and staff should ignore any requests for information and report suspicious activity to the University, according to GWIT.
In response to the phishing emails, GWIT has sent at least four email alerts to all GW email addresses since Dec. 16, urging students and faculty to “ignore” any messages requesting personal information, report any electronic communications promising unexpected money or rewards and avoid clicking links, attachments or files from unknown emails.
Geneva Henry, the vice provost for libraries and information technology, said “cybercriminals” accessing inactive email accounts that had not set up two-step authentication resulted in the recent attacks on GW systems. She said through these accounts, hackers could access the GW directory and send deceitful emails to University community members.
Henry declined to comment on how many reports of phishing attempts have been made to the University and how many community members have been affected by cybersecurity attacks.
In September 2020, GW Hospital doctors and nurses resorted to paper documentation methods following a suspected ransomware attack that temporarily disrupted clinical and financial operations at the facility.
Henry said phishing attacks are increasing worldwide as technology users and cybercriminals become more “sophisticated.” She said GW’s email system filters out over 100,000 “suspicious” emails set to be delivered to GW email addresses each week to protect community members.
“At no time did the cybercriminals have back-end access to any systems, nor could they see or download any sensitive information,” she said in an email. “The email accounts were hacked, but GW’s systems were not.”
In May 2021, a hacker infiltrated the University’s commencement attire vendor Herff Jones databases, hacked student payment information and made unauthorized purchases on their credit cards. The breach leaked payment information belonging to students from multiple universities using the company.
Henry said a team of staff members in GWIT enforce several layers of security procedures like email filters, two-step authentication and blocking malicious actors to assess cyber risks and ensure the security of community members’ personal information. She said any suspicious emails should be forwarded to [email protected]. Students, faculty and staff should contact the GW Privacy office at [email protected] with any questions or concerns.
“Ultimately, we rely on your vigilance to keep our community safe,” she said. “Please remain mindful of who you give your personal information to.”
In December 2021, GW Law students and faculty experienced a cyber attack on MyLaw, a platform that provides law students with access to class notes and assignments. The attack compromised GWIDs, course schedules, faculty office locations, phone numbers and some students’ final exams were lost.
In another December 2021 incident, the University employee’s online time reporting system, Kronos, was attacked and names, GWIDs, NetIDs, GW email addresses, office phone numbers and campus addresses were compromised.
Experts in cybersecurity and technology said cyberattack concerns are common for large institutions like universities, especially after the COVID-19 pandemic increased their reliance on technology. They said educating the community on how to recognize scams and raise awareness of similar incidents can reduce the threat of phishing and scamming.
Daniel Votipka, an assistant professor of computer science at Tufts University, said to prevent these attacks, a university should inform its community of any unusual activity and encourage students to remain cautious when viewing emails.
“It’s on the University to present some controls to help,” he said. “One change that we’ve done here is mark messages and emails that are coming from outside of the department or outside the school.”
GW automatically labels all emails coming from an email address not affiliated with the University as “external.”
Votipka said cyberattacks are prevalent among universities and large organizations, but major social changes like the pandemic often lead to a rise in cybercrimes similar to those that GW experienced.
Cybercrimes shifted from individuals to large-scale corporations and infrastructures with the onset of the pandemic, according to the International Criminal Police Organization. As organizations began employing remote systems of work to support work-from-home staff, criminals took advantage of “security vulnerabilities” to steal information, according to the organization.
Abhi Shelat, a Professor of Computer Science at Northeastern University’s Khoury College of Computer Science, said universities are a prime target for large cyberattacks as they typically use thousands of computers connected to a single Wi-Fi network on a day-to-day basis.
“Educate students, employ the best practices with incident response, scan their internal networks,” he said in an email. “It is a very hard job to keep a campus network secure; kudos to the people who do it.”