Attackers go phishing at NIU

By Alexandria Isom

The Division of Information Technology is implementing a multi-factor authentication security system to protect students from an increase in phishing emails.

Phishing attacks are when an attacker disguises an email by mimicking a university or business to get a user to provide personal information. An attacker usually looks for personal information such as social security number, username and password or banking information to gain access to a user’s accounts.

Attackers attempt to compromise an NIU account and then use that account to send out more phishing attacks to other people, said Drew Bjerken, associate vice president of the Division of Information Technology.

Students who have already been compromised were enrolled in the authentication system Monday, and the rest of the student population will be enrolled in mid-April, Bjerken said.

The authentication method will require email users to provide two or more credentials to prove their identity when accessing an NIU account. The first credential needed is a username and password. The credential that has been added because of the phishing attempts is based on what the user has in their possession, such as a smartphone, to approve or disapprove a login. Email users can choose to receive a text message with a 6 digit code, set up an application or receive a phone call to allow approval or disapproval of a login.

“It’s going to be a challenge and could potentially put a glitch in people’s communication with email temporarily because they are going to be adapting to a new system,” Bjerken said. “But we absolutely have to do it if we want to protect NIU’s brand and NIU’s enterprise network system.”

Last year, phishing attacks resulted in over $150,000 of attempted tax fraud at NIU, and the number of attacks is increasing this year. Officials have sent two emails warning members of the NIU community about phishing emails. Bjerken said more than 250 university accounts are compromised per week.

The Department of Police and Public Safety will get involved if a student or faculty member becomes a victim beyond phishing and it turns into a criminal investigation.

“If a person feels like they have been a victim or someone has accessed their bank account and provided credentials in a phishing email, they can notify us,” said NIU Police Chief Thomas Phillips. “We’ll gather the information, share it with the IT department and make sure to provide the resources to our community to protect themselves.”

Sophomore nursing major Nebal Algholeh’s email account was compromised, but the Division of Information Technology was able to fix the problem by having her change her password. Algholeh thinks the new authentication method could be challenging for students.

“Sometimes if I’m at a library, my phone dies, and if I need to get into my account, I’ll be mad if I can’t just because I can’t support it through my phone,” Algholeh said.

The Department of Police and Public Safety encourages the community to forward phishing emails to [email protected] to help the information technology department gather data to help resolve this problem.


Alexandria is a staff writer. She can be reached at [email protected].