As students enjoyed midwinter break, some received cryptic emails in their inboxes from senior Nuani Santiago or sophomore Nira Jain Julian. These emails, which were sent on Feb. 19, were part of a sophisticated phishing scam to collect emails and passwords from individuals, according to Systems Administrator John Brooks. Phishing is a technique scammers use to acquire sensitive data through an email or on a website.
Santiago was the first student to be a victim of this scam, which ordered students to reset their passwords or apply for a job through a Google Form that would collect their data. The scammers initially obtained access to her email account through posing as college administrators and sending fraudulent emails.
“When I got accepted to the school I [applied] early decision to, I obviously paid my enrollment fee,” Santiago said. “I made my email… And for like two weeks straight, I kept getting all of these random emails from people at Bryn Mawr.”
Santiago initially ignored these emails because she won’t be attending Bryn Mawr College for another five months. She didn’t know yet, but these emails weren’t from people at Bryn Mawr; they were phishing scams.
“I think [the scammers] realized I wasn’t checking my email, and then I got this mysterious email, and it said you have to verify your account,” Santiago said. “So I clicked on the link.”
After she clicked on the link, scammers were able to obtain her email information and lock Santiago out of her account. Then, the they sent phishing emails through Santiago’s account, one of which landed in senior Mohamed Farah’s email.
“My first instinct was, instead of clicking on a link that might be phishing, to copy and paste the entire email into Google and see if something similar pops up,” Farah said. “And I ended up discovering that this is a very common scam.”
Brooks is responsible for monitoring and maintaining UPrep’s cybersecurity as well as helping students with tech issues. UPrep is an entity that houses a lot of sensitive data and, according to Brooks, it is considered an attractive target for cybersecurity attacks.
“We as an institution have a pretty high threat profile,” Brooks said. “These sorts of phishing scams come through all the time, and the vast majority of them get blocked, either by our spam filtering system or by faculty and staff [who go] through phishing training.”
Brooks acknowledged that this scam was different from the vast majority of phishing scams that target UPrep, which often target teachers, not students.
“This is one that, because when the student was compromised, it then used their entire address book to then try to expand, and it became very high profile because everybody got it,” Brooks said.
Once back from midwinter break, the tech department addressed the problems while minimizing damage.
“We were able to go through and delete the emails and update the spam filter fairly quickly, so more people weren’t compromised, because there was a pretty sophisticated attack,” Brooks said.
Although the tech office wasn’t able to determine the exact origins of the attack, Santiago says that there were at least a hundred login attempts to her account from places such as California, Nigeria, Colorado, Australia and Florida.
“When this first happened, so many people called me, texted me,” Santiago said. “I didn’t really lose anything, but it was just really not fun coming to school and everyone being like ‘what was that email?’”
Sophomore Nira Jain Julian was also a victim of the phishing scam after she clicked on the link sent by the scammers from Santiago’s account.
“I got an email saying my password had expired and I would lose my Microsoft account if I didn’t reset it,” Jain Julian said.
Jain Julian noted that she didn’t even realize her account had been hacked until her friends texted her about it.
Brooks urges all students to be cautious and feel free to reach out to the tech office with questions.
“You have resources and people to ask,” Brooks said. “Don’t be afraid to question it because I would so much rather answer 10 people’s questions about something that is official than deal with 10 compromised accounts.”
