Britta Cedergren has a whale of a phish tale, one that could have cost her dearly, without her own quick thinking and quick action by UAB IT’s security team.
All the phishing training in the world might not stop you from making a similar mistake if the urgency of a scam message hooks you, as it did Cedergren earlier this year.
“I was on my couch, watching TV, when I got an email saying that one of my students had submitted an anonymous complaint,” Cedergren said. “As soon as I saw the message I clicked the link and tried to put in my BlazerID and password. It never crossed my mind that this was a phishing attack until it was too late.”
Cedergren and about 300 other instructors were targeted in a sophisticated late-night email scam that was designed to trick them by preying on instructor anxieties, said Robby Ballard, information security engineer with UAB IT.
Here’s how the scam worked:
- An academic email address from across state lines had been compromised and was sending mass messages to those teaching in fields that had a potential for hot-button classroom discussions. The email asked instructors to click a link to view a complaint submitted by a student.
- A larger attack, targeting about 5,000 other email addresses, had been sent before as a diversion. The security team was focused on eradicating the larger-scale attack, which was intended to allow the smaller attack to go under the radar for a bit.
After she clicked the link, Cedergren figured out quickly she had made a mistake.
“I realized something was wrong immediately after I entered my password into the portal. My Duo kept spinning, spinning, and spinning,” she said. “I checked it on my laptop and then my phone. It finally clicked when I went to another browser and pulled up myUAB, and my Duo worked. When I realized what I had done, I reached out to (UAB IT), who jumped into action immediately.”
Working that evening were Ballard and his colleague Nick Vining, who stepped in quickly.
“When attacks like this pop up, the first thing we do is staunch the bleeding, meaning we jump in and start eradicating the email,” Ballard said. “While doing this, we monitor who clicked the link. After we confirm that the account is not being used to send out more phishing emails, we start to investigate the site. We look at what the attacker's goal is.”
An email like the one Cedergren and others received represents “the introduction of AI” to the world of phishing, Ballard said. The usual hallmarks of a phishing email — bad grammar, misspelled words, or a demanding tone — were all gone. In its place was an email that sounded like a legitimate, automated message one might receive if a complaint had been submitted, and you were the intended recipient.
“What was really scary was that the attackers had opened up a new direct deposit account without me knowing,” Cedergren said. “Luckily, we caught it fast enough, so HR and Finance were able to pull it immediately. With the help of Robby, we changed all my passwords — BlazerID, laptop, basically all of my logins.”
So, how did this happen? Through credential harvesting. On average, around 41 percent of phishing emails are credential harvesters. The bad actors create a fake landing page, identical to something you might see on a UAB site, and trick others into “logging in” and entering their username and password. Once those credentials are entered, the scammers can take that information and enter it into a true UAB page.
“When Britta got the Duo push, she thought it was for the fake landing page, but in reality, they were logging into her account,” Ballard said. “They got into her email and set up a rule that any messages containing key words like phish, security, and compromise would automatically be deleted. They even made sure that emails from our notification system Red Flag would be deleted.”
For those who don’t know, anytime you make an adjustment to your account in Oracle, an email notification is sent from
In cases like these, Ballard said, “time is of the essence.” That evening, because others on campus had reported the message, UAB IT was able to help Cedergren within the hour.
“I think if I had dragged my feet, this would have been a different story,” Cedergren said. “Looking at it now, there were some things that I should have picked up on. In the moment though the only thing I could think of is ‘oh gosh — what did one of them say?’”
With the help of UAB HR, UAB Financial Affairs, and UAB IT, Britta was able to recover her account and eliminate the scammers from her direct deposit. She advises others to think about the context of the messages before reacting.
“One thing I learned from this experience is, don’t react to something unless you’ve investigated it first,” Cedergren said. “I am extremely cautious about the fine details — not even the message itself. If anything is suspicious, I send it directly to IT.”
Ballard and his colleagues want you to report anything you think could be a phish. It helps them help the rest of campus. “The Report Phishing button is our best friend,” he said.