Phishing emails continue to test SAU cyber security

By Kayla Williamson

Every morning, Chief Information Officer Chris Blackstone runs a report that pulls a list of all email accounts that have forwarding rules set up. He then looks at the name of each email account that is forwarded for any clue it might be a fake email.

“The challenge with all this is that it’s kind of like a dam that’s cracking and trying to put your finger in the holes,” Blackstone said. “It’s kind of like playing whack-a-mole.”

On July 31, the first of many phishing emails were sent to hundreds of Spring Arbor University (SAU) students. Over 200 accounts were compromised in this phishing attack. Emails varied from fake Dropbox links, warnings your email is going to be disabled and alerts that an account is over its email quota.

Although these kinds of scams are common with other schools using Microsoft systems, there is not much anyone can do to prevent or to protect against the attacks once they start and have compromised an account. So far the Information Services team has spent over 300 hours trying to fix the problem.

“It’s consumed my August,” Blackstone said. “It’s pretty much all that I’ve been working on in August. I was on vacation and got pulled back into doing stuff. It’s been quite an ordeal.”


Unlike hacking, phishing emails do not have access to users’ information unless the users give it away.

Blackstone said it is different from a hack because people give their information willingly, whereas in a hack someone penetrated the network to find information.

Once the phishing source has a student’s information, he or she has access to all of the student’s records. A student’s username and email are just as valuable as a social security number, Blackstone said. But since these attacks were random, no account changes have been reported. But this summer there have been reports of students not receiving financial aid information and faculty not receiving emails for five days.

This is why Blackstone runs a manual report on all email accounts with forwarding rules. Attacks have forwarded emails from an account to a fake email. After 22 accounts were reported not receiving emails, that was the point when Blackstone said they had the potential for significant damage.

The solution: a password reset.

On August 25, all students, alumni and adjunct instructors had to reset their passwords. Since the password reset, there have been less attacks.

“The frustration to me now that we are working hard to lock our stuff down, it’s how many other organizations aren’t,” Blackstone said.

While SAU may be strengthening its own cyber security, a network is only as strong as its weakest link. Groups SAU partners with, like BankMobile, NAIA, Tree of Life and more, can be weak points in the security depending on their own IT precautions.

Blackstone has already reached out to the NAIA and the Commissioner of the Crossroads League because SAU accounts marked emails from them as spam because their system was not configured correctly. After Blackstone reached out to their IT team, the problem was fixed within a day.

While attacks may be slowing down, Blackstone still encourages students, faculty and staff to never click on links or give out login information unless it is through the portal. Because of these attacks, Information Services has updated the portal login. Instead of a pop up asking for a username and password, the portal opens a new login screen with the clock tower on it.

“Knock on wood, we’re seeing fewer of [the email attacks],” Blackstone said. “I think we’ve got greater security in place. Once we turn on the next step of the security, I think that will additionally help keep stuff out.”