According to MSU police and IT Services, the employees were the victims of an increasingly nuanced form of electronic fraud known as phishing. Phishing fools users into giving up sensitive personal information by posing as a trusted source.

The perpetrators of the attack used the employees’ credentials to gain access to their accounts, MSU IT Services End User Support Director Katherine Ball said.

“It is suspected that a fraudulent email was delivered to these employees and they did click on the link,” Ball said.

In August, a similar phishing attack at the University of Michigan caused multiple employees to fall victim to similarly sophisticated phishing attacks, AnnArbor.com reported.

“What were finding is that these emails that are being sent by perpetrators are just very believable,” Ball said. “All of us have to be vigilant.”

Ball said the emails might be full of links to MSU’s website, with only the link to disclose personal information being fraudulent.

MSU police Sgt. Florene McGlothian-Taylor said the department has no further developments in the case, which is under investigation.

The attack comes during IT Services’ campaign to promote safe computing practices for National Cyber Security Awareness Month.

MSU IT Services is continuously engaged in efforts to promote security against malicious efforts that have grown more sophisticated and difficult to detect, Ball said.

A 2010 study from researchers at Carnegie Mellon University and the Indraprastha Institute of Information Technology found that of all age groups, users aged 18 through 25 were most likely to fall for phishing attacks.

The study said that users “tend to judge a website’s legitimacy by its ‘look and feel,’ which attackers can easily replicate.” The study also said that awareness of phishing doesn’t reduce a user’s vulnerability to attacks.

Ball said students always should be cautious when looking at emails, and should never disclose any personal credentials.

The Web page for the campaign, SecureIT, encourages students to “be aware of phishing,” use strong passwords and have an understanding of copyright and file sharing risks.