New School Hit With Phishing Scam

Published

A small number of New School employees have been the victims of fraudulent phishing emails, resulting in the unauthorized access of their New School accounts, and the possible threat of identity theft, according to an email sent by the director of Information Security, David Curry.

In the email sent on March 8, Curry stated that some employees provided personal information, such as their NetID and password in response to the emails, resulting in unauthorized account access. Access to New School accounts includes a program called MyDay, which stores employee information such as tax forms that contain an individual’s social security number.

“Phishing is a way to get people to reveal important usernames and passwords to malicious people and organizations,” said senior vice president and chief information officer, Anand Padmanabhan. “It can also be used to attempt to install malware on a person’s computer.”

The possible source of the phishing scam were emails that were made to look like they were sent by Information Technology with information from President David Van Zandt, but were actually sent from non-New School email addresses.

“I am pretty sure that I have received some of these emails, but I did not open them because they looked suspicious,” said Aaron Jakes, assistant professor of History.

Padmanabhan stressed the seriousness of these incidents, and recommends that students, faculty, and staff be diligent about recognizing possible phishing.

Curry advised that members of the community should always be suspicious of emails asking for personal information. He also suggested that users should never respond to an email requesting personal information, and that users should never click on the links in suspected phishing emails.

“Please be aware that The New School — including IT Central, President and Provost, Human Resources, Student Services, and all other university departments — would never request personal information from you this way,” Curry said in the university-wide email. “These emails should be ignored and deleted.”

He added that The New School’s Information Technology department, and IT Central, will never send emails stating that mailbox or file server storage limits have been exceeded, or ask users to click on a link to upgrade an account.

In addition, they will never send emails asking for users to click on a link asking to “confirm your information” or provide their NetID and password.

If students or faulty suspect that they have been a victim of a phishing email, and have given out personal information, they should visit account.newschool.edu to change their password, and should also contact IT central at 212-229-5300 x4357. Those whose accounts have been hacked should place a fraud alert on their credit files to prevent identity theft, said Curry.

Correction: A previous version of this article provided the incorrect extension for IT Central. It has since been updated.


Photo by Orlando Mendiola.