A new wave of scam emails advertising a secret shopper position for Ipsos Market Research have been sent from hacked faculty, staff, and emeritus emails beginning Jan. 14. Information Technology Services (ITS) has worked with the affected faculty, staff, and emeriti to rectify the issue.
Interim Public Safety (PSafe) Captain Verrillo notes this scam is more sophisticated than others due to its use of the University logo, hacking of faculty, staff, and emeriti emails, and lack of spelling mistakes. However, Chief Information Security Officer Joe Bazeley notes that scams like this are not uncommon.
“I did not hear from any other schools, but it is likely that many other schools were also targeted,” Bazeley wrote in an email to The Argus. “The sad reality is that scams like this have been so commonplace that they aren’t always reported in the broader information security community in academia. They’ve almost become background noise with how common they are.”
Three current students and two alumni who replied to the emails have reached out to PSafe about the scam, but PSafe is unaware of any students that have lost money through this scam. PSafe says there is a possibility that there are more people who have replied to the email and lost money that have not reported it to PSafe.
Students who responded to the scam were asked for a photo of their driver’s license, then sent a fake check and a letter that asked students to purchase gift cards at stores such as Best Buy or Walmart with the check. One student who tried to deposit the check found that it was invalid.
In addition to implementing multi-factor authentication (MFA), ITS has worked to help users not be deceived by scams. Bazeley highlighted the importance of raising user awareness in protecting users from attacks.
“Almost all of these attacks start because a user was tricked by a scammer and entered their username and password into a website controlled by a scammer,” Bazeley wrote in an email to The Argus. “If we can raise the overall awareness of our users, we can decrease the number of email accounts that are compromised.”
ITS is working on implementing MFA to increase University email security for faculty and staff. Currently, University email accounts only require single factor authentication—their password—to log in. The new system, whose purchase ITS is finalizing, will require users to also use their phone to log into their account.
Claire Isenegger can be reached at firstname.lastname@example.org.
Jocelyn Maeyama can be reached at email@example.com.