University: Anti-phishing not really a “policy”

Bogus Citibank login from phishing emailThe University of Minnesota’s HR department send me an email in January telling me that I had to submit to a background check. The good news: I do them all the time.

The bad news: the background check company can only complete the check if you follow a URL embedded in an email.

This is how phishing emails work. The email comes from a convincing-sounding source, like the University’s HR department, or some third-party on their behalf. You respond to it, only to find that it really wasn’t the HR department collecting the information.

Bottom line: you can’t trust email. No matter how many times it says “This isn’t a spam email,” or “This isn’t a phishing email,” you can’t trust email.

[Update 5 January 2018: The UMN HR department has sent me TWO possible phishes as I prepare to take up my reappointment. I passed this to the IT Security people. They have ‘spoken to’ the HR department, and they started a phishing blog.]

Shortly after the background check emails, the HR department sent a Payroll email saying:

A word of caution: Some University employees have received a fraudulent email instructing them to click on a link to access their form. This message did not come from the University and was a phishing attempt. The University of Minnesota, including the Office of Human Resources, will never ask you to provide personal information such as passwords in a reply to an email.

I asked for clarification. Here it is: UMN will never ask for personal info via email, except when when they can’t help it. Anti-phishing is not an enforced policy but merely a best practice they know about but can’t always implement.

I contacted both the IT security people and HR’s policy compliance team to understand this pseudo-policy.

Surprisingly, IT security treated it as my problem: I needed reassurance.

I had several emails with a program director in Institutional Compliance. She actually talked to people about the problem. She concluded that the anti-phishing statement I quoted above is a “best practice” and not really a binding “policy” for either the HR Department or the University. That was what I expected, though I had some (tiny) hope of a safer solution.

What Happened

I teach 1 course a year for the University. For the first time, I was asked for a background check. I was told via the following email:

You are receiving this message because you recently applied for employment with University of Minnesota. University of Minnesota has asked General Information Services, Inc. (GIS) to conduct a background check to determine your eligibility and suitability for employment. We now need you to give your consent and supply information for the background check. For additional information regarding GIS, please visit
The link in the How to Respond section below will guide you through a few screens where you will be asked to provide additional information and consent for the requested search. You will need to have the following information available before you click the link to begin:
  1. Your social security number.
  2. Your date of birth.
  3. Your current and previous addresses, including zip codes.
[... more stuff omitted ...]
How to Respond:
 Click the link below to enter GIS secure website. (If you are using text-formatted email, please copy and paste the entire link into your web browser to launch the correct page.)
Login to Applicant Site
Thank you for your interest in employment with University of Minnesota!

I ignored this, because I didn’t think HR would really be so irresponsible in its data collection. Then I received another email, directly from HR:

You recently received the following e-mail from our vendor, directing you to a website to complete your background check information. This is legitimate and is not SPAM. Please follow the directions and submit your information as soon as possible as the link will expire within 5 days.
Let me know if you have any questions,
 HR Specialist
P.S. If you do not receive the e-mail, please check your SPAM folder.

It took Institutional Compliance about a month to actually track this down. Here is the conclusion:

However, changes to the current process bring these communications in to better alignment with best practices in gathering verification. Specifically, requests will be emailed directly from Human Resources to candidates. The vendor link cannot be housed directly on the HR website due to contract arrangements; however, the link will be included in the email with more language to address legitimacy and transparency in the request.

In other words, HR tries to fix email’s inherent lack of trust by sending even more email.