What is the harm of a phishing email?
Posted by Erin Bard on 17 October 2017 04:53 PM
This article will attempt to answer the question: what is the harm or danger in phishing attacks? What does the attacker gain by doing them? What does the college risk losing?
In no particular order:
#1. The college may be unable to send out emails: The attacker wants access to your mailbox so that they can use it to send out spam. This is advantageous to them because the college has a good email reputation that they can abuse to get their spam delivered.
The damage to the college is that our email reputation goes from a positive score to a very negative score and we get blocked by other email services. This has been shown to delay or prevent communication with prospective students, board members, alumni, vendors, donors, and other outside email recipients.
It is very hard to reverse this damage, as the 3rd-party email providers can legitimately say that we sent out spam and continue to block us. We have spent numerous hours fighting to undo this damage in the past.
#2. Your account may be used to trick other employees: The attacker wants to use your email account to send out additional phishing attacks to other college employees. Possibly to try to gain access to someone else's account who has the access or data that the attacker is looking for.
#3. College and student data may be stolen: The attacker wants to steal college data, such as student Social Security Numbers. This would impact the college's reputation when it becomes public (which is required by law) and would typically cause financial harm to the college in terms of notification costs, credit monitoring costs, investigation costs, and possible fines. Costs incurred by such a breach could be very substantial.
#4. Your computer may be hijacked: The attacker wants to gain access to your computer and/or the college's network. Once they have this access they may seek to sell the access to a 3rd-party, or use it to gain something else they want, such as student data. Or maybe they just want to hijack your computer and use it as part of a botnet to target other institutions.
#5. Your paycheck could be stolen: The attacker might try to trick payroll into directing your next paycheck into their bank account instead of yours.
#6. The college could be robbed: The attacker might try to trick someone in the finance department into initiating a fund-transfer to his bank. This has become a very common form of fraud with attackers often impersonating presidents or finance officers and "ordering" the finance department to initiate an urgent fund transfer to cover an unexpected debt or cost.
The attacker ultimately wants money. So any access, resource, or data that they can get from you or the college that they can turn around and sell is their target.