Murray State goes phishing

Rhiannon Branch/ The News

Story by Destinee Marking, Staff writer 

The Murray State information security team is promoting awareness about phishing attacks that can put faculty, staff and students in danger.

Duane Dycus, senior security analyst, said the information security team, with the help of the service desk and other technicians on campus, randomly chose 10,000 active faculty, staff and student accounts to send fake phishing emails to.

“Phishing scams are designed to steal consumers’ personal information,” according to Murray State’s support site. “They often use doctored and fraudulent email messages to trick recipients into divulging private information, such as credit card numbers, account usernames, passwords, and even social security numbers.”

The email warned the recipient his account would be locked if he did not log into MyGate. A link to MyGate was provided, but clicking on the link took the recipient to a fake site that looks similar to the official MyGate. If the recipient entered his username and password, he was redirected to a training page that explained phishing attacks and how to avoid them in the future.

“Over the past few years, the phishing attacks that target our email accounts have gotten more sophisticated,” Dycus said. “As a result, we’ve seen a rise in the number of students and employees who fall victim to them. In response, we decided to do more in promoting awareness about phishing attacks and scams, while simultaneously providing training to people.”

Dycus said out of every individual who opened the email, nearly 35 percent logged into the fake MyGate and were then presented with the training page. He said this number is concerning, but those who made the mistake were presented with information that benefits them.

“By demonstrating a phishing attack through a real-world example, we are confident that some individuals who completed the exercise will now avoid being a victim to a malicious email in the future,” Dycus said.

When it comes to real phishing emails, Dycus said individuals can contact the service desk to inquire about the legitimacy of emails they are not sure about. He said he encourages people to forward spam emails to abuse@murraystate.edu.

Dycus said if an individual has provided their username and password to a fake website, they should immediately change all Murray State passwords or any other accounts that use the same password.

To avoid falling victim to phishing attacks, Dycus said if a message seems suspicious, take the time to analyze it: analyze who sent the email and the URL it asks the recipient to go to. He said individuals should opt for manually typing out the URL instead of clicking on links.

Makayla Knight, sophomore from Franklin, Kentucky, said receiving the email reminded her how cautious internet users have to be.

Knight said she clicked the link in the email, but decided not provide her username and password. She said she noticed the URL was incorrect. The URL of the fake MyGate page was murraystated.com, so she immediately closed the page.

“It’s really scary how easily someone can hack and scam people in today’s society,” Knight said.