A cat-and-mouse game, that is how Radboud University information security officers describe the constant battle they fight with cyber criminals. While phishing used to involve emails filled with language mistakes, criminals are now taking a much more sophisticated approach.

Why did cyber criminals choose to target Rebecca*? She has no idea. The managing director of a research school at the Faculty of Science has fallen victim to identity fraud by phishers not once but several times in the past year.

The first time still involved a pretty amateurish attempt. Someone had apparently sent a request in Rebecca’s name to an HR advisor to have her salary paid into another bank account. However, the email was sent to a personnel advisor who worked for a completely different faculty, and it was sent from a German email domain.

In March of this year, a few months after their first failed try, the criminals made another, far more sophisticated attempt. The University’s Accounts Department received an invoice for €20,000 from a debt collection company for legal consultancy work that had never taken place.

On the same day, the Accounts Department also received a request, this time supposedly from Rebecca, to pay this invoice urgently as it had been ‘overlooked’. Rebecca’s email – in flawless Dutch – now came from an email address ending in ru.nl.

‘Spear phishing’

As a scam, this was much harder to catch. The details of the very real debt collection company were correct, and as managing director of a research school, making sure that invoices get paid is part of Rebecca’s daily work. There was therefore nothing remarkable about her asking the Accounts Department to pay an invoice.

‘The culprits had clearly done their research,’ says Edwin Wijnhoven, security officer at the Faculty of Science. ‘It was a very personal attack, and they really put a lot of time into it.’ The invoice was ultimately not paid because an Accounts Department employee personally approached the budget holder – i.e. Rebecca – to inform her that she had failed to follow the correct procedure for paying the invoice through the Bass internal system. It was only then that the scam was revealed.

‘It’s terrible to have someone misuse your name’

Although no harm was done, the incident still left a nasty taste in Rebecca’s mouth. ‘It’s terrible to have someone misuse your name. The fact that there’s nothing I can do about it now is extremely annoying.’

This is typical of the way cyber criminals operate these days, Wijnhoven believes. Targeted attempts such as these, known as ‘spear phishing’, are increasingly being observed by University ICT staff.

There are as yet no records of the specific incidents. However, according to Fiona Bus, communications consultant for Security Awareness, it is commonplace for criminals to make such attempts on university staff. She is not aware of any cases where the University actually lost money.

Maastricht

In terms of internet security, the wake-up call for Radboud University came in 2019, when the University of Maastricht was completely paralysed by a cyber attack. After a week of ‘digital hostage-taking’, the University saw itself forced to pay the €200,000 ransom to regain access to its servers.

In the aftermath, security was ramped up considerably, also in Nijmegen. ‘Since then, all faculties and departments have their own security officer,’ says Wijnhoven. The past few years have also witnessed a proliferation of new techniques for keeping cyber criminals out. ‘For example, it is no longer possible to send a message in the name of another university email address.’ Previously, email spoofing, as this form of fraud is called, was a breeze.

But no matter how much security is in place, emails angling for personal details, data, or money will always slip through security. It is therefore also up to employees to be alert. That is why Fiona Bus and her colleagues are working on a campaign to raise people’s awareness, which will be launched next year.

* Rebecca is a fictitious name. Since her name has been repeatedly misused by scammers, she did not want her real name to appear in this article. Her name is known to the editors.