Carleton issued a notice this past week warning students of a phishing attempt sent to their Carleton email accounts.
On June 17, a campus announcement was posted in students’ online accounts titled “Beware of Phishing Email with subject: Password Expiration – Appears to be from Carleton University.”
Fahad Hayat, a Carleton student, said he received a phishing email on his Carleton account stating his password was about to expire and that he would need to change it.
Phishing attempts emailed with links in them asking for the receiver to change, provide, or confirm account information are used to steal account information and then use the compromised email account to send out more phishing or spam emails, according to Carleton’s statement.
The university’s announcement said not to open the email, click on the link within it, or to reply to the email. It added if a student had already done any of those things, they are to change their password by going to the MyCarletonOne page.
Andrew Yuill, a service desk analyst at Carleton, said the email that caused the most recent notice from the school was one of a few that slipped through the current email system’s junk filtering system.
He said the student email system on Microsoft, hosted by Office365, generally has good spam filtering and uses junk folders. For example, if the recent phishing email didn’t pop up in your inbox, it might have gone directly to junk mail.
According to Yuill, the staff and faculty at Carleton get spam and phishing emails much more commonly than the students—about once a month.
Email addresses posted on websites, commonly those of staff members on online phone and contact directories, receive more spam emails because the addresses are accessible, Yuill said. He said it makes the university a bigger target, in addition to the fact that there are so many accounts associated with the university.
Yuill said that phishing poses a greater risk than spam since it’s possible for the email to spread outside of Carleton if contact lists are compromised.
He said sometimes a phishing email could appear to be coming from Carleton if a person who received the email accepted the phishing attempt and provided their information.
Yuill said that to fix this problem, a person would have to change their email password, and sometimes it’s necessary to clean out their sent folder as well.
If an email arrives in your inbox demanding a password change or account information, Yuill said he recommends hovering your cursor over any links in the email.
He said that from the pop up description, you should be able to see what the link leads to. Yuill also said to check the message headers. The email may appear to be coming from Carleton, but have a strange email address.
To combat phishing and spam, the university sends out notices of the emails to students, he said. Yuill added that the university will never ask for account information.
Yuill said Carleton staff’s and faculty’s emails will be moved to Office365 to cut down on the amount of phishing and spam emails they receive.