Payday didn’t go as planned on January 2, 2014, for some Boston University employees. On that day, about a dozen faculty members discovered their paychecks hadn’t been deposited into their bank accounts. Thieves had changed the victims’ direct deposit information and rerouted their pay. BU’s IT security team traced the attack to a phishing email sent to 160 people at the university. The email – which prompted BU faculty to click on a link and confirm their log-in details – led to the compromise of 33 accounts. Thirteen faculty members had their paychecks stolen.

The phishing scam used BU’s logo, had believable formatting, and was well written, said Quinn Shamblin, executive director and information security officer at Boston University. The message purported to be from the school’s IT security office, and contained specific technical information. The only signs it was a fake were a misnamed IT organization and a misleading URL that wasn’t really a BU address.

To read this article in full or to leave a comment, please click here