TO:             Executive Vice Presidents, Chancellors, Vice Presidents, Vice Chancellors, Vice Provosts, Deans, Directors and Heads of Schools, Divisions and Offices

FROM:       Gerry McCartney, University CIO

DATE:        September 13, 2016

RE:             Scam “phishing” emails


Below is an e-mail I plan to send to all our faculty and staff later this week. The purpose is not to address a specific current attack, but rather to respond appropriately to what we see as a persistently increasing threat to us individually and institutionally. If you have questions, please let me know.

Gerry McCartney
University CIO



Scan the news and odds are that you will hear about the latest large-scale security breach plaguing a major organization, from national retailers such as JC Penny and Home Depot to the Democratic National Committee, and even the National Security Agency. In this digital age, no organization is immune, including higher education institutions. A number of Big Ten schools have experienced significant compromises of their institutional accounts. At Purdue, we work vigorously to mitigate cyberattacks. However, as a large, internationally known institution we’re under constant attack.

Frequently, these attacks begin with scam “phishing” emails received by faculty, staff and students containing links to fraudulent websites or dangerous attachments designed to compromise passwords and other sensitive information. The number of Purdue employees and students falling victim is on the rise, with nearly 300 new attacks and more than 9,000 attempts to reach known phishing sites from Purdue’s network so far in 2016 alone. This puts the University community at risk and indicates a need for elevated awareness on campus.

I want to make you aware of two programs, one expanding and one new, that are part of our ongoing efforts to raise awareness and to enhance Purdue's cybersecurity.

* Two-factor Authentication. As the name implies, the system adds a second factor to your password or personal identification number (PIN), in this case a numerical code randomly generated on your smartphone (or a key fob). The addition of the code ensures that your sign-in information changes constantly, but in an easy-to-use manner, which prevents cybercriminals from accessing your account even if they've stolen your username and your base password or PIN. For more information, visit the SecurePurdue website,, and click the BoilerKey button. The IT staff for your campus unit can assist you with setting up the two-factor authentication service if you wish.

* Mock phishing events. Think of it as a phishing fire drill, staged to improve security by exposing vulnerabilities and raising the level of awareness. Later in 2016, we will distribute to segments of the campus community emails displaying obvious hallmarks of a phishing attempt. The exercise will include educational components for email recipients who react in a risky fashion, for example by clicking on a live link in mock phishing emails or opening a file attached to the email. We have already begun intercepting outbound connections from Purdue’s network to known phishing sites and redirecting people who have clicked a malicious link to a Purdue page with anti-phishing advice.

Please report suspicious emails to with the original email attached. This helps Purdue’s security team review the message and determine its legitimacy, as well as block fraudulent websites and emails.