Phishing emails target Butler students

Butler’s email system has been hacked by phishing scams. Collegian file photo.


The first week of school often brings an overflow of programming, excitement and new faces on Butler University’s campus. This year, something more daunting is sneaking its way into the first week frenzy: phishing emails. 

Several students have reported receiving suspicious emails concerning “extra cash” offers disguised as personal assistant job postings, requests to verify their Microsoft Outlook account and other related scams. A large portion of these emails are being delivered from internal Butler email accounts — which makes them difficult to target. 

Cody Maggiore, a junior dance pedagogy major, has seen numbers of these emails pop up in his inbox in the past week. 

“I actually clicked a link from one that said there was something wrong with my Microsoft Office before remembering that I got a notification from my Butler app saying they had been going around,” Maggiore said. “It’s frustrating because they seem credible since a lot come from Butler email addresses, and it seems that the university should be able to solve that problem.” 

Joe Ader, assistant chief information officer, and Michael Denny, network and security architect, have been working to resolve the issues.

“What we’ve been trying to do is address the outcome of those [emails] and try to stop that from compromising accounts and such,” Ader said. “We’ve got multiple pieces of software in line with our email system to try to stop those, such as ProofPoint, to help us stop that.” 

Denny also explained the process of how a breach may occur. 

“They are happening by mistake of users,” Denny said. “What happens is a message comes into our system, and our email filter bounces like 99% of [them] and almost none of it gets through. But every once in a while, one message will get through that the filter did not see suspicious and someone will open the email.” 

He said students will assume the email is legitimate, click the link and give out all of their personal information, including passwords, addresses and more that the scammer can use in the future. 

“At that point, once they have it, sometimes they don’t even use it right away,” Denny said. “They might just wait 3 months, two months or a week, and then log in and start sending emails from that person’s account internally.” 

Because there is no true way to prevent these emails, Ader said education is the key to eventually halting them from spreading amongst Butler accounts.

The next step for IT is implementing multi-factor authentication for anyone with a Butler email account, both Denny and Ader said. MFA, as they called it, would require the user to install an app on their phone. 

If an account is compromised, the user will receive an MFA notification of an attempted login on a new device through their mobile app. The user would then have to verify the attempt to use their Butler account. Denny added that they will begin testing MFA this semester. 

Kelly Stone, a sophomore marketing major, said her prior knowledge of these emails helped her avoid falling for the trap. 

“I had a friend at another school who had this happen, so I felt lucky that I knew right away it was a scam, but when it’s coming to our Butler email from legitimate people it’s hard not to believe it,” Stone said. “Also what college kid wouldn’t want that kind of money?”

Phishing is considered a form of fraud, so BUPD is involved in this case.

IT collects IP addresses sourced from the phishing emails and sends them to Detective Jeffrey Wager for further investigation. 

Wager said most of these cases end up leading him to dead ends. He explained that a lot of these emails are from scammers from outside of the U.S. who are strategizing to obtain as many email addresses as possible through the content they link in their messages.

Wager said scammers resell lists of emails they’ve collected to create fake accounts and then apply for a credit card in someone else’s name.

“You won’t know anything about this fake account until someone calls you saying ‘You owe us $2,000,’ which can make the potential of these emails even more daunting,” Wager said. 

The biggest thing to watch out for is whether the email has a job offer with an external link or email address to click in the bottom of the text. Wager said each of the phishing emails BUPD has spotted so far have possessed one or more of these features.

“If it looks like it’s a good deal, it probably isn’t, and if anybody asks you to get them a gift card and send the pin number, that’s definitely a scam,” Wager said. 

IT has several resources that provide tips for avoiding scams online, such as how to spot phishing, how to report phishing and next steps if you fall to phishing

Wager added that BUPD Chief John Conley has discussed sending a public safety announcement on behalf of BUPD in the near future to increase awareness about this issue. 


Related posts