Editorial: ‘Spear phishing’ at University of Hawaii at Manoa

Academics, who live in a world of sharing and collaboration, were among the first to use hyperlinks to share documents; they were among the founders of the internet, in fact.

And now that universities are seeking military research contracts, their projects are powerful lures and they themselves become rich targets for “spear phishing.” The University of Hawaii at Manoa and its Applied Research Laboratory have been among them, as have institutions such as the University of Washington and the Massachusetts Institute of Technology.

Such attacks, conducted by Chinese hackers, came to light Tuesday in a story published in The Wall Street Journal. This kind of break happens when a hacker does enough research of a target through social media and other online sources, and then impersonates their friend or associate in an email containing a malware-imbedded link.

The breach at UH actually happened about two years ago, said Jodi Ito, UH chief information security officer. Prior to that discovery and after it, the university has deployed broad cybersecurity education efforts and strategies such as multi-factor authentication to ward off fake log-ins. Staff and faculty also are warned not to answer email via mobile apps, which can camouflage suspicious email addresses. Academics are schooled in facts, but here are warned to start with their gut instinct. If the email doesn’t sound like that friend, Ito tells them to pick up the phone and check. Good advice for the rest of us.