• Rich Barlow

    Senior Writer

    Photo: Headshot of Rich Barlow, an older white man with dark grey hair and wearing a grey shirt and grey-blue blazer, smiles and poses in front of a dark grey backdrop.

    Rich Barlow is a senior writer at BU Today and Bostonia magazine. Perhaps the only native of Trenton, N.J., who will volunteer his birthplace without police interrogation, he graduated from Dartmouth College, spent 20 years as a small-town newspaper reporter, and is a former Boston Globe religion columnist, book reviewer, and occasional op-ed contributor. Profile

Comments & Discussion

Boston University moderates comments to facilitate an informed, substantive, civil conversation. Abusive, profane, self-promotional, misleading, incoherent or off-topic comments will be rejected. Moderators are staffed during regular business hours (EST) and can only accept comments written in English. Statistics or facts must include a citation or a link to the citation.

There are 19 comments on Internet Scammers Change Some BU Direct Deposit Accounts

  1. BU It,

    Would it be useful if people with bu email forwarded suspect phishing emails to you? I get them on a regular basis. Usually the bad grammar makes me laugh. And the from email address is not bu.

    Might be time to add a challenge question to certain levels of login.

    1. Anytime, any month….why bother changing it then?

      While its always a good idea to change your passwords you this isn’t because a server was hacked and passwords decrypted…actual hacking and phishing are vastly different things. If you weren’t one of the people to give out your password you shouldn’t have to worry about changing your password, though you always can if you want to. Obtaining someones logon and Kerberos shouldn’t allow anyone access to any vital BU systems or info, all vital BU systems should require another form of authentication in order to obtain access to it.

  2. @XYZ – I am the Executive Director of Information Security at Boston University and part of the team that investigated this incident. Just as you suggest, one of the actions we undertook was to contact the people who had accounts logged in to from suspicious IP addresses and ask them to change their password. If you have not heard from someone in HR or the IT Help Center either yesterday or today, your account was not specifically found to have been accessed by one of the suspicious IP addresses. That said, it is a good idea to change your password periodically precisely to stymie abuse such as this. Is specially if you have used that same password anywhere else but at BU. (Another major way that passwords get compromised is if they are used on a different website that gets compromised.)

    Also, scammers sometimes try to leverage events such as this for an additional layer of scamming. If anyone tries to contact you and says they’re going to help you change your password but asks you to tell them what your password is as part of “helping you”, hang up or delete the email. People legitimately from BU HR or the IT Help Center should be directing you to trusted resources on http://www.bu.edu to do this work. Here is where you go for instructions on how to change your password http://www.bu.edu/tech/accounts/kerberos/reset/

    Never give your password to anyone, even a friend, coworker, someone from IT or your supervisor.

    1. Mr. Shamblin,

      I agree. Please be advised that I wanted a refund for my money to a canceled LL.M class, after some difficulties for the first time I was asked to give “only” my direct personal account info. Even though I paid by credit card. Also in the past I always had options to pay or get a refund by credit card or transfer as well. This time direct account info was the only option and people assisting me in the process advised me not to take this only option so I had to write an email with specific credit card transfer only.
      Touching educational organizations such as BU is not a game, it affects a main pillar of the international flow of money to the US and it’s economy and business trust image locally here in the US as well. It’s a discouragement for many prospective supporters.
      Thank you.

      1. A reply from Mr. Shamblin:

        “Generally no. Responding in any way just lets the attacker know that a live human is at the other end of that address and they will redouble their efforts. They will also likely sell that address to other spammers/phishers as a “confirmed” live email address. Responding just buys you more of the same.”

  3. This did not impact me, however, I recall seeing the email. This should be a wake up call for both BU IT (IS & Tech), BU IT should encourage employees only to use self-service portals for all activities, and minimize emailing employees and students clickable URLs that require ID and Kerberos passwords in order to access to a page or data.

  4. Noticeably missing from this article is WHAT the University did for the employees whose pay checks were hijacked! As an employee, that troubles me. Were these employees, who earned their pay and did not receive it through any fault of their own, reimbursed through a hard replacement check? Perhaps hand- delivered to their workplaces?

    Please let your employees know what happens in a case like this and how it is handled by the University.

    1. Kitty,
      Im the Chief Human Resources Officer at BU….Absolutely, all of the employees received the pay due to them and we worked with them on how they wanted to receive the pay – either a hard check or a wire transfer to an account of their choosing. Our goal was to ensure our employees were kept whole.

    2. I don’t think we can say it is through “no fault of their own” – it sounds like they provided their login and Kerberos to a phishing scam. I’m sure there were many other employees targeted who knew better than to give up their information.

  5. Why do I get so many spam emails. There must be something that can be done to prevent this. Other organizations are doing this. Wake up! How do I know my other personal information that BU has is protected.

    1. I am completely with you that spam is an ongoing and very irritating part of life. We do have spam filters an anti spam technology in place at BU, but many people don’t realize that there are two parts to making our defense effective. One we have already done, one needs to be done by you.

      Because we have so many different kinds of people here doing so many different kinds of work, it is much more challenging to definitively determine whether a message is really spam or not. The technology we have does not remove a message totally unless it surpasses a certain threshold score. Messages that score lower than “absolutely spam”, are still probably spam but they *might* not be. We don’t want to run the risk of accidentally deleting a message that invites one of our professors to speak at a professional symposium, for example, and such a message may look very much like a certain kinds of spam.

      In these cases, our system marks the message as “probably spam” but it’s still lets it through to you. If you would like to improve the efficacy of your spam removal, you can configure your end client to be more aggressive by automatically deleting messages marked in this way.

      For instructions, see this page: http://www.bu.edu/tech/comm/email/unwanted-email/spam/

  6. My opinion is that the IS&T security team is doing an excellent job in keeping us all “safe” as we do our work. What we don’t read about is all the successful rejections of network, browser, and email attacks that are happening as you read this. I imagine they could produce log files that would make our hair stand on end. The statement that this affected 10 users is serious, but I think it also means they were doing their jobs and they need to rely on us to follow the best practices and common sense suggestions outlined here – http://www.bu.edu/tech/security/resources/bestpractice/
    Finally, a tip of the hat to XYZ!! Change your password regularly and keep it to yourself.

  7. A few things:

    One…this has been since the times of AOL and dial up….ISPs, employers, and even store websites would never ask for your passwords via e-mail, if there is an e-mail asking to correct your password via a website it should be just as suspect. If in doubt just contact IS&T if its BU related or customer service.

    Two, at the very least check the URL you are on, if its not an http://www.bu.edu/whatever and you have a doubt again contact IS&T.

    Three, if you don’t want SPAM in your BU e-mail box, or at least want to drastically cut down on it…STOP entering your BU e-mail into every e-mail request box that you can.

  8. that’s what happens when you take the entire banking system and reduce it to a bunch of 0’s and 1’s as far as these employess being somewhat responsible, that’s nonsense when you mandate they receive direct deposit you bear the responsibility period

Post a comment.

Your email address will not be published. Required fields are marked *