close
close

Have you fallen for one of those fake IT phishing emails?

Have you fallen for one of those fake IT phishing emails?

30/10/2024

By means of Ed Brenner

Approximately 3 million emails are sent each week to UMass Lowell’s more than 22,000 students, faculty and staff – approximately 137 per person.

However, less than a third of those messages actually reach the UML inbox. That’s because the Office of Information Technology’s Information Security team uses the latest software to remove nasty spam and, even worse, dangerous malware and phishing attempts.

The scammers are “endlessly inventive and terrible,” said Heather Fowles, UML’s new chief information security officer, who replaced the retired Jim Packard in February.

Fowles came to UML after working in healthcare for more than a decade. From 2019 to 2023, she served as information security officer at Mass General Brigham; previously, she was director of information security at the Massachusetts Eye and Ear Infirmary.

“I’ve always been more attracted to organizations with a public mission, and that’s something that made UMass Lowell stand out,” said Fowles, who leads a team of four information security engineers and several student employees.

“A big part of security is having good IT partners, and that was another selling point,” she says. “You want to have people on the infrastructure side thinking about how to manage the systems, how to patch them and how to keep them up to date. That will certainly reduce your exposure.”

Two people are talking to two other people sitting behind a table with a blue tablecloth in the lobby of a building.

Image by Ed Brenner

Chief Information Security Officer Heather Fowles talks to members of her Information Security team during a recent cybersecurity awareness event at the Pulichino Tong Business Center.



Fowles long thought she would work in higher education – as a professor. She earned a bachelor’s degree in the history and philosophy of science and medicine from the University of Chicago in her hometown and a master’s degree in the history of science from Harvard University.

“Then I thought, ‘Wow, what am I doing? I am not college professor material,” said Fowles, who found her way into information security at New England Financial.

“It is a very good field if you like to be at the intersection of technology and people,” she says. “The technology is always changing and the threats are always changing, and you try to be at the forefront of the technology solutions. But often your problems are human problems – what people do with their technology and their attitude towards rules or restrictions.”

Fowles spoke at the end of October, National Cybersecurity Awareness Month, to talk about her new role and why her team is sending you those fake phishing emails.

Q. How does information security in higher education compare to healthcare?

A. Many of the challenges are the same. We probably have more diversity on a college campus in terms of the technologies we support, and that can be a challenge. In healthcare, some of the concerns of physicians doing research are similar to the concerns you might have here in a faculty position. It’s not just about the IT infrastructure; you also have some things that are harder to protect, like research and more one-off things that are more unique to a research and education environment.

Q. What are some of your immediate priorities?

A. One of the first things we did was improve our security monitoring. The team is small, so one of our big efforts was setting up a 24/7 network monitoring service. We have a lot of great monitoring tools in our systems, but if an alert goes off in the middle of the night and someone doesn’t wake up and hear it, at least we have an external service watching. That gives us a little more peace.

A person wearing glasses and a blazer poses for a photo outside.

Image by Ed Brenner

Heather Fowles joined UML earlier this year as chief information security office after more than a decade working in healthcare.



We are also doing more on the awareness front. We’ve been hitting tables around campus for Cybersecurity Awareness Month, and we’re doing some phishing testing, sending simulated messages to expose our staff to the different types of attacks. We will also extend this to our students.

No matter how good your technology is, there is always a small percentage that gets through. There is a large population here and the cybercriminals are quite inventive. I get feedback from people like, “I can’t believe you’re letting me do this.” But I do think that little bit of awareness when you click on something you shouldn’t is a better learning experience than any number of videos I can make you watch. There’s no better way to learn these things than through experience.

Q. What types of phishing should students be aware of?

A. At the beginning of the semester there is an increase in job fraud: work from home and earn money. A student gets paid to buy things, maybe gift cards. They think they received a check, but the person depositing the money into their account has the ability to get it back within three days, so they take the money out of the student’s account and are essentially out of pocket for the costs. of the articles. And then there’s the scams in the marketplace for things like concert tickets, where they don’t get the money or the goods never materialize. This year we had an academic integrity scam that was unbelievable. The scammer told the student he was the subject of an academic integrity investigation, and the university demanded he pay $750 for the investigation. Luckily, the end game involved sending money to Kenya, and the student said, “Oh, now I know this isn’t real.”

Q. How have you seen threats evolve during your career?

A. In the 1990s we got religion about patching systems. No one really thought this was a big deal until you started seeing these massive malware attacks, most of them from actors from other countries, so law enforcement couldn’t deal with them. That has moved to things like ransomware. For a while, the ransom was all about: “We’re going to shut down your systems, and you won’t have access to your activities unless you pay us.” And then the ransom operators realized they didn’t even have to do that: “I’ll just steal your data and ransom.” Cryptocurrencies like Bitcoin have been a huge accelerator for scams because they can now be paid for anonymously online and they don’t see the humanity of the person they are scamming.

Q. How complicated is your job becoming as more people learn and work remotely since the pandemic?

A. There are some smart architectural decisions made here, with students virtually being on a separate network so they can bring their own device into that network. But we’re careful about authenticating them and understanding what systems are in place. And then we have our administrative or internal systems, which are at a distance from those of our students. From a work-from-home perspective, we don’t tell our staff to use a home system. We provide a laptop and say, “This is what you’re working on.”

Q. What about cell phone security?

A. People are a little more sensitive to scam messages from their phones. It’s a small screen and it’s a little harder to see subtle details. And people often rush. If you live a mobile lifestyle that involves doing a lot of work from your phone, slow down and make sure you know what you’re clicking on. Or wait until you’re back at your desktop, if that’s possible. And if you receive annoying spam text messages, just block them.

There’s an old cartoon ‘Far Side’ by Gary Larson that I really love. It’s a businessman in a small space capsule. He flies to work and his cup of coffee is outside. Technology changes, but people remain the same.