Hillsdale has received vishing attacks — where scammers impersonate information technology support or other trusted entities to infiltrate a victim’s email account or an organization’s address book — but students must report them to the IT department, according to Scott Aschenbach, Hillsdale’s senior director of information security.

The Help Desk will never call students with urgent problems, create panic, or ask for passwords over the phone, according to Timothy Post, IT operations manager. 

Aschenbach said he believes scammers will start to deliberately target Hillsdale as its prestige grows and that the consequences of those attacks could be expensive. Fundraising impersonation is especially dangerous, which is when scammers imitate the school they have compromised and call donors, getting them to donate to the scammer, according to Aschenbach. 

“They say an average breach is $4 million, but the fundraising impersonation is long range,” Aschenbach said. “No one knows what that is. It is above $20 million.”

It is also expensive in other ways, according to David Pauken, cybersecurity engineer and a long-term Information Technology Services staff member.

“Your reputational cost is very high,” Pauken said. 

Aschenbach said it is typical to lose up to 30% of your donations initially after the attack, with some donors lost forever depending on how well the school handles the situation.

Vishing will imitate trusted entities, such as IT support, and operate strategically, Aschenbach said.

“You are probably not the destination of most attacks, but I think you can be the first step,” Aschenbach said. “People find out you are a student here, and if they compromise your account or get on your laptop, they can start talking with faculty.”

Aschenbach said these vishing attacks can involve striking up conversations with the contacts in a student’s account. 

“The fact that it is this kind of sophisticated multi-step is surprising,” Aschenbach said. “In the old days, it was just one and done.”

These types of attacks are not random, but targeted, Aschenbach said.

“Opportunistic attacks — it is like spreading seed,” Aschenbach said. “Wherever it sprouts is great. They don’t care if it doesn’t work everywhere, because they are just going for the numbers. With targeted attacks, it is usually a decision that they want. They think that that company or whatever organization has a lot of money or they literally want to attack them.”

It is essential that students report these attacks to ITS, as that helps the department protect others in the future, Aschenbach said. A student taking their compromised account to ITS allows them to clean the machine and check the student’s email. According to Aschenbach, typically these attacks get the email credentials and send emails out, deleting them immediately after so they do not appear in the sent box. 

Pauken said it is important to understand that the information these attacks garner has monetary value.

“It probably does not have a huge dollar value all by itself, but having an up-to-date recent address book of the entire organization does have a financial value,” Pauken said.

Since it is easy for any student or staff to have a copy of an organization’s address book, scammers who break into unsuspecting student accounts can use that to their advantage. 

“You can buy whole lists of organizations, of known accounts, users, passwords, locations, address databases — everything is for sale,” Pauken said. 

The college uses Microsoft Defender, a security suite that protects against malware. Sometimes, malware will slip through, which is where a student, staff, or faculty member can help protect the school.

“If somebody reports a message as malware, then that will bounce back to Microsoft and they will double check it,” Aschenbach said. “If it really is malware, then they tell all the defenders in the world to go out and delete all the other copies of that.”

To be aware of these attacks, students should look to the IT Security Alert, a document that provides a 30 second test to detect scammers and the proper protocol to handle them, according to Aschenbach. Also, students should be knowledgeable of the ways in which these vishing calls and emails can differ from the Help Desk. Post said that calls from vishing scams differ from legitimate help desk calls in several key ways.

“Real help desk staff almost never cold-call students with urgent security problems, and we will never ask for your password or Multi-Factor Authentication code over the phone,” Post said. “Vishing scams, however, typically start with an unsolicited call that creates panic, panic, panic and pressures you to act quickly, and demands sensitive information or remote access.”

Post said ITS handles these security alerts like any other cyber attack.

“They are treated the same way as any security incident: we investigate, contain any potential compromise, reset affected credentials if needed, and provide guidance to the individual,” Post said.