Students in the North East have seen an increase in scam emails appearing in their school emails, which some say have been harder to spot due to similarities to legitimate college emails. As a result of the scams, all North East emails will receive an upgrade to make North East accounts more secure.
When fourth-year journalism major Luiza Loyo received an email advertising a job opportunity with a doctor named Ben Simon, Loyo assumed he was associated with the university. The email said the post would pay $500 a week for an assistant to do shopping for Simon, as well as philanthropic donations, which he was unable to do due to his heavy workload.
The email was well-written, and because Loyo received it from her Northeast email, she assumed it was from a college project. As an international student, Loyo said she used to find work through college.
“A lot of international students seek jobs on campus because they can’t work anywhere else,” Loyo said. “So it makes a lot of sense to assume that those emails land on your Northeastern account because people are looking to hire Northeastern students.”
Loyo responded to the email asking to be hired and received a response that featured odd grammar and wording, asking for personal information, after which Loyo would be hired immediately. He also said Loyo would be paid through an anonymous outside group. Loyo stopped responding due to the suspicious nature of the response, but only fully acknowledged it was a scam when friends later discussed the fraudulent emails the students had received.
“After talking to my friends that day, where they were also saying they were getting a lot of scam emails, it just kind of came together,” Loyo said. “I started looking in my inbox and suddenly I get a lot of weird job opportunities, which I first thought was a service from the North East Employment Office. “
Eric Nichols, a fifth-year computer science student, said he decided to look into the scam emails after he first heard about them. Nichols said he looked at the scam emails other students had received and noticed that the email addresses used — all from the Northeast — were only from graduate students and professors. He also found that he and other students would receive identical offers, but the sender would be different.
Nichols said he wondered if anyone was able to log into the Northeast accounts with the user’s credentials, or if they had been hacked. If they had been hacked, Nichols said he was worried what else the accounts could be used for.
“Was their account compromised or was someone able – without logging in – to impersonate these people?” Nicholas said. “And if all of these accounts have been compromised, are they just spamming, or are there other things going on with that?”
Nichols also said the emails weren’t immediately apparent as scams due to content and structure, and because of that, Northeastern’s guidance for noticing scams might not be very helpful.
“So when they’re offering advice on how to spot a fake, I think there’s a potential angle there that the school makes it harder to differentiate because they have a lot of the same behavior when they email us,” he said.
Following a Microsoft technology upgrade released on October 1, Northeastern will incorporate new levels of protection for college email. Scott Olson, manager of student employees, services, personnel and training, said the new security is called modern authentication. The program, which first rolled out in the Northeast on November 8, adds an extra layer of protection when students log into their Northeast accounts.
According to the Modern Authentication through Office of Information Security (OIS) website, many students in the Northeast are already using hardened devices with the upgraded software, which involves two-step authentication through Duo. With this login system, mail users in the Northeast are granted temporary access to the service they logged in to, which will eventually expire. Duo authentication will also become more common after the switch to modern authentication, according to the website.
The original login system, known as “legacy authentication”, would allow those with email from the Northeast to login with just a username and password, which would be then saved by the app they logged into. This makes those who use this login system vulnerable to security risks, according to the OIS webpage.
“The transition to modern authentication will improve account security and reduce the number of compromised accounts and phishing emails on Northeastern’s network,” reads the Office of Security’s webpage. information.
After the upgrade, students using outdated sign-in methods had to upgrade to the latest Microsoft 365 update and ensure their email client can support modern authentication by October 31. otherwise they might have lost access to their North East email.
Information Technology Services sent an email on November 9 announcing the change. The announcement referred to modern authentication as Duo Two-Factor Authentication, or Duo 2FA. He also announced that when logging in, students will need to log into their Northeastern accounts using Active Directory, as students can be locked out of their accounts using the myNortheastern login method.
“Duo 2FA is already required to access the university’s virtual private network and other frequently used online services and systems. This update does not change the way you sign in and check out using Duo, but rather expands it to protect additional services,” the email read, “Thank you for your support in helping keep the Safe and secure Northeastern accounts and data.
Prior to the change, Northeastern also sent several emails warning of the increase in spam, as well as tips for spotting misleading offers. According to emails from Cassandra LeBrun, Assistant Director of Talent Engagement, students will still be prompted to log into NUworks if the job posting is an actual position associated with Northeastern. LeBrun also wrote that students should have a career counselor at Employer Engagement and Career Design check to see if the offer is misleading and forward any questionable material to them.
The emails gave general advice about not providing crucial personal information such as bank account information and social security numbers, warning that if the post sounds too good, it probably is and that all international students will need to be cleared before starting any type of employment.
Freshman journalism student Darin Zullo, who when speaking with The News had yet to learn about the modern authentication system, stressed the importance of involving a program that can filter out scams. Without the inclusion of such technology, Zullo said he felt the university would not adequately address the situation.
“If people get hacked as a result of these phishing emails, the school could do more to respond to the situation,” Zullo said. “It’s a pretty common problem and we’re all aware of it because we all check our emails. I just feel like there’s not really enough to do.”