Students in two classes in the Department of Information Systems & Business Analytics had an assignment: draft fake emails to send to fellow students that would raise awareness about phishing scams. The emails certainly raised awareness about the issue when they were sent on Monday, but they did so while causing campus-wide panic and confusion as students feared they faced suspension, expulsion or a hold on their financial accounts and several departments scrambled to figure out what was going on.
Depending on which email students received – which appeared to be from “University Support” – they were either told their GPA “could jeopardize your admissions here at the University” or “a hold has been placed on your account” for unpaid university bills.
“It is imperative that you resolve this issue in order to receive full credit for the semester,” the latter emails said. Failure to resolve the GPA matter “may result in suspension/expulsion from the university,” according to that string of emails.
“I panicked for a good 20 minutes and then realized there was no possible way my GPA was that low,” said freshman Amanda Nikias. “Then I got the phishing email and realized Hofstra wanted to kill me.”
Several departments, including Student Financial Services, were inundated with questions and concerns from students; some were told this appeared to be a real scam. Hofstra’s Help Desk, which provides computer support for the university’s constituents, sent an email to students several hours after the fake emails were sent explaining, “These are spam emails sent as a learning exercise to get you to click on the link. The content is fictitious and absolutely does not apply to you. If you clicked on the link, nothing malicious will happen and you will be presented with a web page explaining the issues with clicking on an unknown link. Please ignore these emails.”
Catherine Fisher, the assistant director of Faculty Computing Services and manager for Academic Operations was one professor behind the assignment, as was Mike Horowitz, an instructional technologist for Faculty Computing Services.
“The email was sent out as a class assignment,” Fisher said. “Mike and I teach Intro to Computer Concepts and Software Tools for the business school, and one of our topics is security – IT cyber security – and we had a phishing email assignment in both classes and we evaluated and reviewed each other’s classes’ emails.”
According to Fisher, 60 students participated in crafting the dubious emails as part of the Phishing Simulation Project started in 2014. The project aims to raise awareness by redirecting recipients of the emails to information on how to avoid actual phishing scams.
Robert Juckiewicz, the vice president for Information Technology, authorized the dissemination of the emails and said, “The university does – for students annually and for faculty and staff several times a year – an awareness program. We have found that sending out phishing emails has the best impact in making people aware. We do it on a non-scheduled basis.”
Although this technique has been used to raise awareness before, students’ finances and grades were not a factor in provoking awareness.
“I don’t know who exactly from within Hofstra is responsible for those emails, but if the whole point was to raise cyber awareness this was the wrong way to do it,” said freshman Morgan Gelsinger. “Not only did it trigger panic attacks from me and my friends, but because it was from Hofstra I genuinely thought my enrollment was in jeopardy even though my grades are well within acceptable standards.”
“We didn’t intend to create panic and the students in our class wrote the email for their classmates,” Fisher said. “We definitely did not expect this kind of response. We discussed it in class quite a bit, showed all the emails and shared them with the students.”
Fisher claims the Office of the Regristrar, Student Computing Services and Student Affairs were made aware of the emails before they were sent, but it was clear others were not. When asked about the situation, Deborah Mulligan, the executive director of Student Financial Services and Bursar, said she was “busy getting to the bottom of this.” Another official from Student Financial Services circulated an email to department officials telling them to “Tell students to disregard email – it is SPAM – and NOT to click on link!!”
“Whoever is responsible for this needs to be held accountable for putting that kind of stress in the minds of students with mental illnesses because this was the textbook definition of a triggering situation,” Gelsinger said.
“These exercises are meant to promote a safe environment for students,” Juckiewicz said. “The world is a crazy place out there in terms of cyber security and we just want to prepare our students and make them aware.”
Juckiewicz said they will be reviewing what they did and the unintentional consequences that emerged, as well as take steps to prevent this from happening again. He emailed an apology to students Tuesday, saying, “While cybersecurity exercises are valuable, the messages used for this exercise were insensitive and inappropriate. We apologize for any confusion and concern these emails caused, and Information Technology is re-examining its protocols and processes, and will be required to seek approvals from other appropriate department vice presidents before any phishing emails are sent.”
Juckiewicz said, “We all regret any stress that we caused either to a student, a family member or anyone. It was not what we intended to do.”
This article was updated Tuesday April, 18 2017 to include Juckiewicz’s emailed apology to the Hofstra community.