If you work for any library, big or small, more often than not your library email account will be used by a hacker in a phishing attempt. If unfamiliar you may be asking, what is phishing? Chances are you probably have already opened another browser tab and googled “phishing” and you have now returned to this tab to pick up where you left off. For those who aren’t information go-getters, please allow me to explain a few things about phishing followed by reasons why librarians as information professionals should always be on the look out for phishing attempts even if you don’t work in library IT.
Phishing is a complicated piece of hacking an organization through social engineering. Lucky for you, I am not a computer engineer, so my explanations will be simple by default. Hackers have multiple methods to hack an organization. As analogous to thieves, hackers can break your car window, which will be loud and draw attention. This method will get the job done, but you have to see what you want to take in the car and be quick; you must know what you want from a library system by hacking in such an obvious function. The other method of breaking into a car is less obvious and requires more finesse. If you want to break into a car, I assume you could try to pick the pocket of the owner. The digital equivalent of pick-pocketing a website might be impersonating a library employee’s email address and emailing multiple patrons requesting a patron reset his or her password on what appears to be a library website. However the library website is a copy with a different but similar URL. If successful, a hacker might get a few dozen patrons to compromise their library login credentials.
The risk for this attack is different depending on what type of library you work for. If you work for a public library, your risk is smaller. Patron login credentials might be generic or include only their name and a library card number. But if your library is a college or a library connected to a business where patron login credentials might be connected to other payment systems, hackers through phishing could gain access to a tremendous amount of patrons’ financial information.
How much of a problem is phishing? Sadly phishing is only getting worse. From 2012-2013 phishing as a resource for hackers has seen an increase of 87%. Now having cautioned you at great length, what can you as a librarian do about phishing?
Nothing. However that isn’t entirely correct. If someone wishes to phish at your library for patron data, they could hack into your email, but that will raise security flags; its too obvious. Or they can copy your email address through a complicated method called email spoofing. Email spoofing is impossible to protect against. It doesn’t require accessing the owner’s email but instead forges the email address and the email owner’s signature. As a result no amount of digital security will protect your organization against email spoofing combined with phishing. No amount of secure password policies will protect against a hacker sending an email disguised as a library staff person to your patrons.
Hopefully your email service is good enough that your email vendor will flag the emails as spam. But hackers are constantly creating phishing email templates with specific details and email signatures to work around spam filters.
Even though email spoof phishing is impossible to protect against, through proper library staff training and quick reactions, librarians can work with their library or university IT administrators to resolve phishing attempts in a timely manner. Like any natural disaster, your staff need preparation. They need to have library phishing manuals with specific instructions for what to do if librarians are involved with a phishing attempt. Also your communications librarian may need to be involved to manage your library’s image as they control the damage. If your library reacts quickly and transparently, you may be able to show how well your library cares about the safety of its patrons’ data. And if we’ve learned anything in our increasingly digital lives, trust is a very important tool. If your organization loses that tool, patrons may not want to continue using your library.
Following a phishing attempt at your library, here are a few (obvious) tips you might follow:
1. Inform your university or library’s IT administrator. If you work for a larger company or university, you should have an IT Risk Management Officer.
2. If there is a malicious copy of your library website with a similar URL being hosted on a domain, contact or have your IT admin contact the domain registrar and demand they take down the offending website which is involved in the phishing. (This will stop more patrons from clicking the link and providing their login credentials) Normally domain registrars will comply under threat of legal action.
3. Inform public service-related library staff of the phishing attempt so they may assist in collecting information.
4. Find out what patrons received phishing emails to make sure those patrons are completely aware of their accounts being compromised.
5. Reset the login credentials for patrons who may have compromised their accounts.
Here are some colleges which have compiled databases of phishing emails with some important phishing information.
This article was originally posted on Berrypicked.com and has been reposted here for self-archiving purposes.