By Granit Krasniqi

On August 10, 2024, as I was going through the trouble of making sure all my financial aid and scholarships and loans were being processed correctly for the upcoming semester, I received an email. An email I hastily clicked on named “COLLEGE GRANT.” The email described a “National College Board” and a “student benefit grant” that I had been approved for. All they needed was my “Full Names”, cellphone number, banking institution and my personal email address. I was provided a name, “Nathan Brown.” He was to be the contact I sent all this information to. The email ends with a note, “NOTE: Eligible students are not required to pay back the grant. Kindly also indicate if you are/were enrolled in other college as you can be eligible for double grant.” As well as another “IMPORTANT NOTE” reiterating again that you must contact the financier with your personal email. 

This sounded amazing. Almost too good to be true. That is because it was. The “National College Board” does not exist and is likely trying to borrow legitimacy and likeness from the legitimate non-profit organization that runs the SAT and Highschool AP assessments, CollegeBoard. “Nathan Brown” also doesn’t come up with any results other than a reddit post questioning the legitimacy of the exact email I received. It is a common name and surname that they likely thought wouldn’t raise any eyebrows. The notes addressing how good the grant is and how it won’t need to be paid back are all a part of the allure. They might’ve been successful if they didn’t have so many spelling and grammar mistakes and if the format of the letter wasn’t a screen capture of an iPhone notes page. Who sends emails as only a jpeg? People who want to steal a lot of others information quickly. 

This email is a clear example of phishing. Phishing is a practice where you are sent an email or message that appears legitimate asking for personal information. The appearance of legitimacy often is targeted. The email I received was expertly aimed at students. Depending on where your email address was taken from the scammers can tailor the email to be relevant to your life. For example, if I received this email about college grants as I described before, but I was a fifty-five-year-old professional working on Wall Street it wouldn’t be successful. The Wall Street professional has been out of school for a long time and would never trust or even look at an email about college grants. However, if our same hypothetical Wall Street professional brought an expensive car recently and the email was tailored to look like it came from a dealership, and it addressed concerns or problems about the purchase it could very well be enough to attract his attention. 

Phishing is yet another hurdle we have to deal with in our increasingly digital lives. Students at Lehman are not the only ones dealing with this. Even companies like Google and Facebook, giants of the tech industry, deal with phishing attacks. The most infamous case being Evaldas Rimasauskas. CNBC reported that Rimasauskas plead guilty to wire fraud “…after helping to orchestrate a scheme that included setting up a fake business and sending phishing emails to employees of Facebook and Google. The scheme ultimately duped those multibillion-dollar companies out of more than $100 million in total between 2013 and 2015, according to the U.S. Attorney’s Office for the Southern District of New York” (Huddleston 2019). Phishing can also target the government as voters in Lawerence County, Pennsylvania learned. New Castle News reported that voters received text messages reading “We have you in our records as not registered to vote. Check your registration status & register in two minutes,” and were then directed to a link (Watcher 2024). In L.A. County, the Los Angeles Times reported that the public health agency was hit with a phishing attack that potentially exposed “…more than 200,000 people in Los Angeles County” (Fry 2024). Atrium Health, a healthcare company, was also not left unscathed by phishing. The Charlotte Observer reported, “An unauthorized third party gained access to a group of employees’ emails through phishing…” (Chase 2024). 

Phishing attacks can target any part of society. From mega corporations to hospitals to the government. Everything is vulnerable. There are multiple reasons it is so ubiquitous. One reason is that it is incredibly easy to do. You do not need high level technical information like you would need to hack into a system. All you need is a good script and a link that prompts people to enter their information. Another reason phishing is so effective is people. People are the weakest link in cybersecurity being exploited by phishing. You could have the strongest cybersecurity in the world, and it wouldn’t prevent someone with access clicking on a suspicious link in a phishing email. This means in order to combat phishing we must be vigilant ourselves. 

Lehman College needs to do more to help safeguard students and faculty against phishing and all kinds of cybersecurity attacks. The Information Technology Division offers workshops on how to effectively use different programs and technologies such as Office 365 but offers no courses on security. On their page titled Information Technology Policies, Security Alerts and Advisories on the Lehman website there is a link to a CUNY online security awareness course and an accompanying pdf but both links are dead. The page hasn't been updated since 2017, it proudly says at the top, despite there being one pdf from 2018. That one is titled Holiday Season Online Scams and Malware Campaigns. It does address phishing and gives tips on how to deal with it and other malicious attacks but there is not enough. One pdf from 2018 is unacceptable. The phishing email I described at the start of this article was not sent just to me. There are other Lehman students who received this email. This should have rung alarm bells for the IT Division to at the very least send out an email addressing the situation but nothing. Lehman needs to do better for its students and faculty. I have reached out to the Chief Information Officer at Lehman, Ms. Ediltrudys Ruiz, for comment but have not received a response at the time of writing.