Surge of scam emails prompts security concerns, new protection measures


Grace Comer

Many Northeastern students have received scam emails, like this one, claiming to offer high paying part-time jobs. New security measures have been introduced to make it more difficult for other users to log into someone’s Northeastern account.

Katherine Mailly, news staff

Northeastern students have been seeing an increase in scam emails appearing in their school emails, which some say have been harder to spot due to the similarities to legitimate university emails. Following the scams, all Northeastern emails will be receiving an upgrade intended to keep Northeastern accounts more secure.

When fourth-year journalism major Luiza Loyo received an email advertising an employment opportunity with a doctor named Ben Simon, Loyo assumed he was associated with the university. The email said the position would pay $500 weekly for an assistant to make purchases for Simon, as well as make some philanthropic donations, which he was not able to do due to his heavy workload.

The email was well-written, and because Loyo received it from her Northeastern email, she assumed it was from a university project. As an international student, Loyo said she was accustomed to finding work through the university.

“A lot of international students are seeking jobs on-campus because they can’t work elsewhere,” Loyo said. “So it’s a very logical assumption to make that those emails are falling into your Northeastern account because people are looking to hire Northeastern students.”

Loyo responded to the email inquiring about being hired and received a response that featured odd grammar and phrasing, asking for personal information, after which Loyo would be immediately hired. It also stated that Loyo would be paid through an unnamed external group. Loyo stopped responding due to the suspicious nature of the response, but only fully recognized that it was a scam when friends were later discussing the scam emails that students had been receiving.

“After talking to my friends that day, where they were also saying that they were receiving a lot of scam emails, it all clicked together,” Loyo said. “I started looking through my inbox and I actually am receiving a lot of weird job opportunities all of a sudden, which I first thought was a service from the northeastern employment office.”

Eric Nichols, a fifth-year computer science major, said he decided to look into the scam emails after first hearing about them. Nichols said he looked at the scam emails that other students had received and noticed that the email addresses that were being used – all Northeastern – were only from graduate students and professors. He also found that he and other students would receive identical offers, but the sender would vary.

Nichols said he wondered if someone was able to log into the Northeastern accounts with the user’s credentials, or if they had been hacked. If they had been hacked, Nichols said he had concerns about what else the accounts could be used to do.

“Is it that their account was compromised or was someone able to — without logging in — impersonate those people?” Nichols said. “And if all these accounts have been compromised, is it just that they’re sending out spam emails, or is there other stuff going on with that?”

Nichols also said the emails were not immediately apparent to be scams because of the content and structure, and that because of this Northeastern’s tips to notice scams might not be very helpful.

“So when they offer advice on tips of how to spot a fake, I think there’s a potential angle there that the school is making it harder to differentiate because they’re engaging in a lot of the same behavior when they send us emails,” he said.

Following an upgrade in Microsoft technology released Oct. 1, Northeastern will be integrating new levels of protection for university emails. Scott Olson, manager of student employees, services, staff and training, said the new security is called modern authentication. The program, which was first rolled out in Northeastern Nov. 8, adds an additional layer of protection when students log into their Northeastern accounts.

According to the modern authentication website through the Office of Information Security (OIS), many Northeastern students have already been using devices reinforced with the upgraded software, which involves two-step authentication through Duo. With this log-in system, Northeastern email users are granted temporary access to whatever service they had logged into, which will eventually expire. Duo authentication will also become more common following the switch to modern authentication, according to the website.

The original log-in system, known as “legacy authentication,” would allow those with Northeastern emails to sign in with just a username and password, which would then be saved by the application they logged into. This leaves those using this log-in system vulnerable to security risks, according to the OIS webpage.

“The transition to modern authentication will enhance account security and decrease the amount of compromised accounts and phishing emails throughout Northeastern’s network,” reads the Office of Information Security webpage.

Following the upgrade, students using outdated log-in methods had to switch to the latest update of Microsoft 365 and make sure their email client can support modern authentication by Oct. 31, or they could have lost access to their Northeastern email.

Information Technology Services sent out an email Nov. 9 announcing the change. The announcement referred to modern authentication as Duo two-factor authentication, or Duo 2FA. It also announced that when logging in, students will be required to log into their Northeastern accounts using Active Directory, because students may be blocked from their accounts by using the myNortheastern Login method.

“Duo 2FA is already required to access the university’s virtual private network and other frequently used online services and systems. This update doesn’t change the way you log in and verify using Duo, but rather expands it to protect additional services,” the email read “Thank you for your support in helping keep Northeastern accounts and data safe and secure.”

Leading up to the switch, Northeastern also sent out multiple emails warning about the increase in spam emails, as well as tips for how to spot deceptive offers. According to the emails from Cassandra LeBrun, the assistant director of talent engagement, students will always be asked to sign into NUworks if the job offer is a real position associated with Northeastern. LeBrun also wrote that students should ask a career counselor at Employer Engagement and Career Design to verify if the offer is deceitful and to forward her all dubious material.

The emails gave general advice about not supplying crucial personal information like bank account information and social security numbers, warned that if the position seems too good then it probably is and that said all international students will need to be authorized before beginning any kind of employment.

First-year journalism major Darin Zullo, who when speaking with The News had not yet been informed about the modern authentication system, stressed the importance of involving a program that could filter out scams. Without the inclusion of such technology, Zullo said he felt the university would not be adequately addressing the situation.

“If people are getting hacked as a result of these phishing emails, the school could be doing more to respond to the situation,” Zullo said. “It’s a pretty prevalent issue and we’re all kind of aware of it because we all check our emails. I just feel like there’s not really enough being done.”