Phishing has made it inadvisable for institutions like banks and financial sites to use email to communicate with customers. Doing so would just confuse them more and raise the likelihood they would be fooled by a phish. But what about ordinary institutions like schools and colleges?
The Worcester Telegram & Gazette reported earlier this week (payment required) that officials at the local college, Assumption, “will no longer send e-mail to alumni until it can avoid a repetition of a computer-system invasion Friday in which scammers obtained the e-mail addresses of alumni, parents and employees”.
It’s not quite clear how the scammers got hold of the mailing list. But once they did they appeared to have used the list to send out a Citibank phishing email, with the college’s domain name somewhere in the header. It’s not clear how many people fell for the scam.
The problem here is that an institution like a college is much more likely to use email to communicate with alumni, students and staff. Indeed, that was how Thomas E. Ryan, Assumption’s vice president of institutional advancement, warned alumni, parents and employees about the scam.
You can imagine the confusion: First they get an email that seems to be from Citibank (or the college) warning of a “large number of identity theft attempts” on Citibank customers and requiring them to “confirm your banking details.” Then they get an email from the college warning of an email scam. Now, the college says, it won’t use email to communicate with alumni: “Until the cause is determined and fail-proof virus and scam protections are in place, no alumni e-mails will be sent from the college,” Ryan was quoted as saying. The reality, though, is that there is no fail-proof protection and institutions like Assumption may find they have to use something other than email to communicate with their alumni or whatever. That raises troubling questions about how institutions, companies and bureaucracies communicate, even internally.