PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name "Perspectives From the Campus Series”, we invite experts -- immersed in the pursuit of educating their students -- to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In the latest installment of this series, David Dungan, who serves as the Executive Director at the Center for Security Services and Cyber Defense at Anderson University, discusses three ways that cybercriminals use to target high school students and shares some helpful tips on keeping your digital life safe and secure.

By David Dungan

Whether you’re a senior, preparing for what’s ahead after you graduate, or you’re a freshman, who’s just trying to figure out where your first class is at, being a high school student is tough enough without having to worry about a cybercriminal stealing your personal information.

According to a study, released earlier this year, found that a student’s personal information is valued at $1,010 on the dark web - that’s one student. The fact is, a cybercriminal can acquire and utilize a student’s credentials for a wide variety of goals, and this often makes high school students a target. Typically, there are three common ways cybercriminals will use to try and steal a high school student’s personal -- and financial -- information, including: botnets, ransomware attacks and impersonation attacks.

• Botnets - Cybercriminals add high school students to a botnet by redirecting them to malicious links, promoting ,malicious software, or harvesting students' data in "free" online tools. These mechanisms infect the high school student's machines, making them part of a larger bot-network. Botnets can have repercussions for the user, such as having the user blocked from certain websites due to their account being connected to malicious activity or becoming a suspect for illegal activity.
• Ransom Attacks and Ransomware - Ransom attacks are schemes involving credentials or sensitive information of the user falling into the attacker’s possession, which the attacker uses as leverage to exploit that user. Some attackers may use ransoms to coerce students into using their parents’ credit/debit cards to pay the ransom. Ransomware attacks occur using malware that prohibits a user from accessing their own digital accounts, files, media, online storage, and other forms of data.
• Impersonation Attacks -- An impersonation attack is a general use term for methods of deception that allow a threat actor to gain access to information that would otherwise be inaccessible to them. Two types of impersonation attacks relevant to students include spoofing and form jacking.
  • Spoofing is a type of impersonation attack that involves a threat actor pretending to be from an entity they are not, while form jacking involves an attacker stealing a user’s data through the user’s direct connection to a website or portal.
  • Students are at the greatest risk of form jacking due to the sensitive nature of the information, shared, for example, when registering for school, as students frequently fill out documentation requesting their full names, date of birth, Social Security numbers, as well as family information, and other details related to such things, as jobs or even scholarships.

To protect yourself, high school students should begin safeguarding their internet usage by practicing good habits of digital security, such as:

• Never sharing personal information with anyone or any place you do not trust.
• Using secure web pages by searching for “https://” instead of “http://” in front of a web address.
• Web browsers will also display a lock in the web address bar to denote a secure web page.
• Ensuring the validity of unknown email addresses by checking with official sources first.
  • If something seems illegitimate, contact the assumed sender to ensure they sent the email that was received.
• Using two-factor/multi-factor authentication.

There is no definitive way to absolutely prevent someone from becoming a victim of identity theft, but practicing cyber-safety goes a long way toward preventing and/or reducing the extortion of data, so as to help high school students focus on what matters most to them.