by

Cybersecurity (2)

26/06/2024

The TU/e is alert to cybercrime. Students and employees are urged to check anonymous e-mail addresses and not to click on suspicious links. But what turns out? The TU/e sends those kinds of mails itself.

Last June, I wrote a column about an e-mail I received from our security officers. I was critical of that mail because it was about a data breach that wasn't that exciting. That column led to a response from our Chief Information Security Officer (CISO) Martin de Vries, who publicly corrected me not to think too lightly about cybersecurity.

Of course, he had a point. He then also rightly stressed the need to carefully check every e-mail for phishing. I quote, "check the sender's e-mail address, check any links in the message by hovering over the link, is there any urgency in the message?" This is also how I taught my parents to handle emails: Never trust emails that come from an unknown sender, are not personally addressed to you and contain links that require you to click. To make this even clearer, these days Outlook also comes up with a warning: "you don't often get e-mail from ..." with a link as to why that's important. WShen in doubt, my father calls me and I check with him.

When I recently returned from two weeks vacation, I had several dozen emails with the subject line "reminder mail for an invoice for approval" in my mailbox. Sent from "invoicing@esize.nl" and not addressed to me personally, but simply an email with a "login" button, whose link points to an obscure external URL. If I am to follow CISO guidelines, these emails go straight as attachments to abuse@tue.nl, especially since all twenty of them came with the warning "you don't often get mails from ...".

Having neatly reported the first few mails earlier this year, I now know better. These are official mails from our billing system. Unlike all other urgent mails without salutation from strange addresses with "click here" buttons, these mails require me to simply click on "login", only to be redirected to a domain outside the TU/e, where I am apparently logged in with my TU/e credentials, in order to approve the invoices there.

When I discussed this with some colleagues, they suggested sending around a nice phishing mail ourselves. A nice copy of these mails, with a login button redirecting to a fake page with which I could then collect logins from colleagues. Now I'm always up for a joke myself, but this just went too far for me.

Thereby, Dr. Pavlo Burda has already shown earlier this year that such an action on my part would be reported fairly quickly to the Computer Emergency Response Team of the TU/e and then Martin would have to correct me again via Cursor.

Boudewijn van Dongen is a professor of Process Analytics at TU/e. The views expressed in this column are his own.

Share this article