Stanford urges email security vigilance

Stanford is reminding members of the campus community to protect their information by being particularly vigilant for potentially malicious emails.

Recent phishing campaigns on campus have targeted specific individuals and used either email subject lines closely related to the individuals’ professional interests or forged sender addresses of colleagues. (Image credit: L.A. Cicero)

Like most large institutions, Stanford filters out massive quantities of incoming spam, malware and other email-borne security threats on a daily basis. Email security systems are unable to identify all such email, however, and some malicious messages get through.

The most insidious of these are individually targeted phishing messages known as “spear phishing,” according to Michael Duff, chief information security officer for Stanford.

Spear phishing is the single greatest cybersecurity threat today, Duff said. The objective is to gain ongoing access to the target’s passwords, computing devices, data and communications by tricking the recipient into clicking on a malicious link or attachment in the email.

Two notable spear phishing campaigns have occurred recently at Stanford, Duff said. There is no evidence of successful hacking, nor loss of information, as a result of the two attempts. But they used a sophisticated approach, targeting specific individuals and using either email subject lines closely related to the individuals’ professional interests or forged sender addresses of colleagues.

In the first case in late summer, Duff said, a half dozen individuals at the Freeman Spogli Institute for International Studies (FSI) and the Hoover Institution received one of these emails, targeted specifically at them. The university worked with the recipients of the emails and alerted other FSI and Hoover personnel about the phenomenon.

In the second case in late October, Duff said, a larger group of 49 individuals, mostly at FSI and the Hoover Institution, received such emails. The university again has been in touch with the recipients, and no evidence of an actual breach has been detected at this point.

Hacking incidents attributed to specific foreign nation-state actors have been the subject of recent coverage in the national press. Based on investigations to date, Stanford has reason to believe that the two recent attacks were carried out by the same government-sponsored groups, Duff said. The university has shared samples of the malicious emails with federal law enforcement to help support broader efforts to combat such attacks.

“While there is no evidence of a compromise from these attacks, they should prompt all of us at Stanford to be even more vigilant in our use of email,” Duff said. “These attacks are becoming more sophisticated and more personalized. Because many of these emails draw upon the professional interests and connections of an individual, they are increasingly difficult to distinguish from legitimate messages.”

Duff provided two key suggestions for members of the campus community:

• Be wary of unsolicited or unexpected emails, even if they appear to be from someone you know or pertain to a subject in which you are involved. For example, a common phishing scheme seen recently is an email that appears to be from the recipient’s supervisor and asks the recipient to perform a wire transfer.

• If you are unsure about an email, call the purported sender to confirm its authenticity before clicking any links or opening any attachments.

More information is available on the University IT website, including samples of phishing emails to help members of the campus community identify them. Suspected phishing messages can be reported to the Information Security Office by forwarding them to spam@stanford.edu. Questions can be submitted via the HelpSU system.

In addition, the Information Security Office has recently begun offering an awareness program for campus departments that wish to train their staff on spotting and evading spear phishing. The Phishing Awareness Service will send simulated phishing emails to departments that opt into the training, allowing recipients to become familiar with the tactics used in actual phishing attacks.