Have you fallen for one of these fake IT phishing emails?

30/10/2024

By Ed Brennen

Approximately 3 million emails are sent each week to more than 22,000 UMass Lowell students, faculty and staff – approximately 137 per person.

However, less than a third of these messages actually reach UML inboxes. This is because the information security team at the Office of Information Technology uses the latest software to remove annoying spam and, worse still, dangerous malware and phishing attempts.

Fraudsters are “endlessly resourceful and terrible,” says UML’s new chief information security officer, Heather Fowles, who replaced the retired Jim Packard in February.

Fowles joined UML after more than a decade in the healthcare industry. From 2019 to 2023, she was an information security specialist at Mass General Brigham; previously, she was the director of information security at the Eye and Ear Infirmary in Massachusetts.

“I’ve always been more drawn to organizations that have a public mission, and that’s what sets UMass Lowell apart,” says Fowles, who leads a team of four information security engineers and several students.

“Most security comes from having good IT partners, and that was another advantage of this company,” he says. “You want to have infrastructure people who are figuring out how to manage, patch, and update systems. This will definitely reduce your exposure.

Two people stand and talk to two other people who are sitting at a table with a blue tablecloth in the building's lobby. — Chief Information Security Officer Heather Fowles speaks with members of her information security team during a recent cybersecurity awareness event at the Pulichino Tong Business Center.

Fowles had long thought she would work in higher education – as a professor. She earned a bachelor’s degree in the history and philosophy of science and medicine from the university in her hometown of Chicago, and a master’s degree in the history of science from Harvard University.

“Then I thought, ‘Wow, what am I doing? I’m not cut out to be a college professor,’ says Fowles, who started working in information security at New England Financial.

“It’s a really good field if you like being at the intersection of technology and people,” he says. “Technology is always changing and threats are always changing, and you’re trying to stay ahead of everything with technology solutions. But often your problems are human problems – what people do with their technology and their attitudes about rules and restrictions.

Fowles gathered at the end of October, which was National Cybersecurity Awareness Month, to talk about her new role and why her team sends you fake phishing emails.

Q: How does information security in higher education compare to healthcare?

AND. Many of the challenges are the same. There is probably more diversity on a college campus in terms of the technologies we support, and that can be a challenge. When it comes to health care, some of the concerns of research physicians are similar to concerns you might have as a faculty member. It’s not just about IT infrastructure; you also have some things that are harder to protect, like research and more disposable things that are more specific to the research and teaching environment.

Q. What are your immediate priorities?

AND. One of the first things we did was improve security monitoring. The team is small, so one of our greatest efforts was to provide a 24/7 network monitoring service. We have a lot of great monitoring tools in our systems, but if an alarm goes off in the middle of the night and someone doesn’t wake up and hear it, at least we have an external service keeping an eye on it. This gives us a little more peace of mind.

A person wearing glasses and a jacket poses for a photo outdoors. — Heather Fowles joined UML as chief information security officer earlier this year after more than a decade in the healthcare industry.

We are also doing more in the area of awareness. We set up tables on campus for Cybersecurity Awareness Month and conduct phishing tests by sending simulated messages to expose our employees to various types of attacks. We intend to make them available to our students as well.

No matter how good your technology is, some small percentage will always get through. The population is large here and cybercriminals are quite resourceful. I get feedback from people like, “I can’t believe you’re making me do this.” But I really think that little flash of awareness when you click something you shouldn’t is a better learning experience than any number of videos I can show you. There’s no better way to learn than to experience these kinds of things.

Q. What types of phishing scams should students be aware of?

AND. At the beginning of the semester, job scams increase: work from home and earn money. The student gets paid to go out and shop, maybe gift cards. They think they received a check, but the person who deposits the money into their account can withdraw it within three days, so they take the money out of the student’s account and basically have no money to cover the cost of the items. In addition, there is fraud in the concert ticket market, as a result of which they do not receive their money or the goods never appear. This year we had an academic integrity scam that was unbelievable. The scammer told the student he was the subject of an academic integrity investigation and the university demanded he pay $750 for the investigation. Fortunately, the end result was that the money was sent to Kenya and the student thought, “Oh, now I know this isn’t real.”

Q. How have you seen threats evolve over the course of your career?

AND. In the 1990s we had a religion about patching systems. No one really thought it was a serious problem until massive malware attacks started popping up, most of them by entities from other countries, so law enforcement couldn’t deal with it. This has moved on to things like ransomware. For a while, the ransom involved saying, “We will lock down your systems and you will not be able to access your operations unless you pay us.” And then the ransom operators realized they didn’t even have to do that – “I’ll just steal your data and hold it to a ransom.” Cryptocurrencies like Bitcoin have been a huge accelerator of fraud because now they can make money anonymously on the Internet and cannot see the humanity of the person they are scamming.

Q: As more people learn and work remotely since the pandemic, how does this complicate your work?

AND. Some smart architectural decisions have been made here where students are essentially on a separate network, so they can connect their own device to that network. However, we place great importance on authenticating them and understanding what systems are available. Then we have our administrative or internal systems, which are kept at arm’s length from our students’ systems. From a work from home standpoint, we don’t tell our employees to use any home system. We give you a laptop and say, “This is what you’re working on.”

Q. What about cell phone security?

AND. People are a bit more susceptible to scam messages sent from their phones. It’s a small screen and it’s a little harder to see subtle details. And people are often in a hurry. If you lead a mobile lifestyle where you do a lot of work on your phone, slow down and make sure you know what you’re clicking. You can also wait until you are back on the desktop if you can. And if you receive annoying spam texts, just block them.

There’s an old Gary Larson drawing called “Far Side” that I really love. He’s a businessman in a small space capsule. He flies to work and his coffee cup is outside. Technology changes, but people remain the same.