CU Boulder targeted in COVID-19 phishing scam
Jul. 1—University of Colorado Boulder was the target of a phishing scam Monday when hackers used a compromised university email account to send about 5,000 emails to students, faculty and staff in an attempt to steal personal information.
The emails told recipients that "in response to the current hardship in the community to the COVID-19 pandemic," CU was awarding $2,300 to employees and students. The email was sent from an account with a university email address and titled "COVID-19 Support Program."
"Supporting the community is essential during these challenging times," the email stated.
The message directed recipients to a website to submit personal information including their name, date of birth, Social Security number and contact information. It also asked for credit card information in order to receive payment through a prepaid credit card.
The Office of Information Technology was able to intervene within 30 minutes of receiving emails about the scam from campus community members, said spokesperson Greg Stauffer.
Information Technology employees found and deleted the malicious emails across the university's system, Stauffer said.
"Hopefully it's not something that many people ever noticed and they didn't visit the site," Stauffer said. "We do what we can to try to limit the danger of these kinds of things, including education and using this opportunity to tell folks that the university is never going to send you an email and ask you to submit your password and Social Security number."
Information Technology staff are currently working with two people who submitted their personal information to the phishing website, Stauffer said.
The scam is not unique to CU Boulder. The University of Wisconsin Madison reported a similar phishing attempt on Monday that included emails with identical wording to the CU Boulder emails.
CU Boulder doesn't know who was behind the scam and often never finds out in cases like this, Stauffer said.
"It's people trying to take advantage of others in a difficult time," he said.
CU Boulder doesn't see an unusual number of phishing scams, Stauffer said, and many malicious or spam messages are blocked by the campus' email filters.
Information Technology is also rolling out a multi-factor authentication to the campus to make it more difficult for accounts to be compromised in the first place, Stauffer said. The program is currently in a pilot phase with the goal of providing it across campus early in the fall.