In a recent advisory, the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) warned higher education institutions about sophisticated phishing attacks that target faculty and staff credentials to access payroll information, and in at least one case, insurance policy information. The attackers are closely researching institutions’ systems and practices to spoof e-mails and web portals to trick users into providing credentials to access universities’ and colleges’ payroll information. Universities and colleges should view this warning as an opportunity to improve their anti-phishing training and examine their cybersecurity policies.

The phishing attacks described in the REN-ISAC notice target university faculty and staff whose e-mail addresses can be “scraped,” or harvested, from public campus websites. The victims receive an e-mail purporting to be about a change in salary from the university’s human resources department, and they are instructed to follow a link to review information about salary changes. That link connects to a web page that spoofs the university’s human resources or payroll portal and collects the victim’s login credentials. The attacker then uses these stolen credentials to change the victim’s direct deposit settings to reroute payroll deposits to the attacker’s account. These types of attacks appear to be well planned and highly orchestrated, as they very closely mimic university images, URLs, and were often sent during faculty review periods.

REN-ISAC suggests universities make several changes to defend against these latest phishing attacks. These prevention techniques include:

  • Using two-factor authentication or virtual private network requirements
  • Alerting users when direct deposit information has changed
  • Redacting sensitive information available to the user in online systems to prevent the loss of additional personal information
  • Implementing systems to identify suspicious transactions in payroll systems, such as transactions routed to unusual geographic locations or users with duplicate account numbers

Phishing attacks remain some of the most common cybersecurity threats. While these specific attacks targeted payroll information, user credentials obtained through phishing attacks can be used to compromise other parts of an institution’s network, which may contain sensitive personal information, intellectual property, or other confidential data. Educational institutions can protect themselves, their employees, and data by regularly reviewing their information security policies and practices. These practices should include training faculty and staff on information security, including how to identify phishing attacks. Additionally, institutions should take advantage of cybersecurity information-sharing organizations to receive information on the latest cyberthreats.

Ballard Spahr’s Privacy and Data Security Group regularly assists higher education clients in responding to data breaches and regulatory data security requirements. Members of the Group regularly work with clients to develop and implement data security plans and privacy policies.

If you have questions about best privacy and data security practices or the FTC’s guidance on this issue, please contact Privacy and Data Security Group Leader Beth Moskow-Schnoll at 302.252.4447 or, Philip N. Yannella at 215.864.8180 or, or Daniel JT McKenna at 215.864.8321 or

Copyright © 2014 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.

Related Practices

E-Discovery and Data Management
Privacy and Data Security