Last Tuesday a phishing email was sent out to UConn students and faculty, which fraudulently claimed to be from University Information Technology Services (UITS). The email stated that the recipient had exceeded their email quota and prompted them to click on a link to re-validate their account.
UConn should have warned students and faculty as soon as it became aware of this phishing email. Recipients may have unwarily clicked on the link; the university should have sent an email explaining what students and faculty should do to protect themselves.
As reported in The Daily Campus, UITS computer technician Haleh Ghaemolsabahi has stated that the UConn was not hacked. The sender of the phishing email relied on a list of publically available university email addresses. Nonetheless, a predatory email user is deliberately targeting UConn email addresses in order to obtain personal information, the university should say something to the community.
Several UConn email users were threatened and did not receive any warnings or recommendations from UITS. They were certainly aware of the problem, as “The email was sent at 9:05 a.m. The URL was blocked by 9:50 a.m. and UConn spam appliance was ‘configured to block the message shortly thereafter,’ UConn deputy spokesman Tom Breen said,” as noted in The Daily Campus.
The university rightfully took these steps to protect the safety of its email users, but it did not send an email notification to those who may have been affected, which it should have done.
Some students and faculty may have unknowingly clicked on the link in the 45-minute window before the university blocked the URL. Their personal information may have been at risk and they received no notification that they should take any steps to protect themselves.
The Daily Campus reported that Ghaemolsabahi recommended that those who clicked the link “should immediately change their passwords.” This information should have been directly communicated to the students and faculty who may have been affected.
When UConn email addresses are targeted and there are steps recipients should take to ensure the protection of their personal information, the university should affirmatively inform email users. A notification email from UITS in events of this nature would better prepare students to protect themselves.
Students using a university email account expect it to be safe. Trust in the validity of university announcements might make the community especially vulnerable to phishing emails. In the future, the university should not only quickly disable the threat, but also notify students of the threat’s existence and provide them with the actions they should take if they are at risk.