Higher Education: Protecting Against Anthem Phishing Scams with Two-Factor Authentication
Post-breach, Anthem customers have been warned of subsequent phishing scams. And a large number of those customers include faculty, staff and students from major universities across the country, as Anthem provides health plans and other services for many higher education customers.
That includes universities that are customers of Anthem, including Amerigroup, Anthem and Empire Blue Cross Blue Shield companies, Caremore and Unicare. Bluecard members are also impacted. Any customers that used their insurance in California, Colorado, Connecticut, Georgia, Indiana, Kentucky, Maine, Missouri, Nevada, New Hampshire, New York, Ohio, Virginia, and Wisconsin are also affected. For a full list of the independent Blue Cross and Blue Shield plans not owned by Anthem that were also affected, check out the Anthem FAQ.
Blue Cross and Blue Shield Federal Employee Program plans members are also impacted - the Blue Cross and Blue Shield Service Benefit Plan is part of the Federal Employees Health Benefits Program.
To see if your university was affected, check out this list of .edus on returned in Google search results for the phrase “anthem breach university.” While not an exhaustive list, it does reveal the far-reaching effects of a breach of one major company.
Anthem Phishing Scams May Target University Faculty, Students and Staff
So what does this phishing scam look like? If you received an email that looked like the one below, including a link that says “Click Here To Get Your Free Year of Credit Card Protection,” then I hope you didn’t click it, because it’s likely the link takes you to a fake site intended to steal your login credentials or download malware on your computer.
In addition to emailing, phishers are also cold-calling customers, as KrebsonSecurity.com reports, suggesting the data may have already falling in the wrong hands, or others are just taking advantage of the breach to target potential customers. With up to 80 million people affected, the chances of hitting an Anthem customer are pretty high.
Anthem warns against these phishing attempts in their FAQ: DO NOT click on any links in email. DO NOT reply to the email or reach out to the senders in any way. DO NOT supply any information on the website that may open, If you have clicked on a link in email. DO NOT open any attachments that arrive with email.
And also stated that they would be sending out official emails to the affected during the week of February 16, 2015 - this email doesn’t ask for personal information and doesn’t contain a link to any websites other than AnthemFacts.com. The company is also sending snailmail notifications.
Phishing scams not only affect Anthem’s customers, but can also affect the security of student and staff accounts at universities - since people notoriously reuse passwords, it’s possible attackers may take stolen credentials and redistribute them across different logins to see which ones work. By using only a username and password to protect their accounts, it’s likely they’ll succeed in accessing a university’s network, which can result in a data breach.
Two-Factor Authentication Protects University Logins
Deploying a security solution to strengthen access security at universities for students and staff may help deter phishing and password-reuse attempts. Two-factor authentication can stop remote attackers by requiring the use of a personal device, such as your smartphone, to log into applications commonly used by students and staff, including student portals and financial aid accounts.
Duo Security’s two-factor solution can be easily integrated with Oracle’s PeopleSoft suite of applications to protect higher education users, including apps for HR, financial, supplier relationships, enterprise services (like billing, project management, contracts, etc.), supply chain management, and a tool to help integrate these applications. For specific use cases, read Two-Factor Authentication for PeopleSoft Apps & Higher Education.
Duo also supports a long list of other popular services such as various cloud apps, web apps, VPNs, Microsoft, Unix & SSH, APIs, and more.
Duo has a long history of working with higher education, supporting institutions through InCommon, a trust framework committee providing security and privacy resources and information for research, higher education and their partners in the U.S.
InCommon also operates a related assurance program and certificate and multifactor authentication services. In addition, Duo’s involvement with Internet2’s Net+ program allows universities to roll out two-factor authentication very broadly and at a very affordable price.
A Duo Security Higher Education Customer Story
Duo protects the University of Michigan Departmental Computing Organization (DCO)’s faculty, staff and students. Their Electrical Engineering and Computer Science (EECS) servers were regularly targeted by hackers, and administrative account passwords were the weak link.
In order to protect their internal network and systems from hackers, they chose Duo Security’s two-factor authentication solution due to its ease of deployment, simplicity of use and cost-effectiveness.
They integrated Duo with their network of Unix servers, Windows computers and web applications, including custom applications by adding only a few lines of Duo-provided code, as well as leveraging Duo’s web APIs. Read the University of Michigan Departmental Computing Organization Success Story.