Scam emails targeting University students, faculty, and staff are continuing to circulate this semester, according to Information Technology Services (ITS) and Public Safety (PSafe).
Scam emails are nothing new, and many are reported to PSafe and ITS every semester. However, because of the COVID-19 pandemic, scam emails and phishing attacks are on the rise. While Chief Information Security Officer Joe Bazeley said he hasn’t seen an increase in the number of scam emails sent out to the University community, he told The Argus the response rate to these scam emails is likely higher than normal because of high levels of unemployment.
“Generally speaking scammers take advantage of whatever’s front of mind with folks,” Bazeley said. “If someone randomly emails you and says, I’ll pay you $300 for a day’s worth of work and you’ve been unemployed for the last two months, you’re probably going to be a little bit more receptive to that scam than you should have been just because you’re desperate.”
Although it’s likely that many more have circulated, four separate scam emails have been reported to ITS and PSafe this semester. All of the scams claimed to offer employment opportunities where recipients could earn hundreds of dollars per week.
On Sept. 8, a scam email was sent to 1,321 recipients. Recipients were told that they had been selected for a “Secret Shopper” position paying $450 per week. The email was signed by someone claiming to be a Human Resources Specialist. While no one responded to the email, Bazeley observed that it is difficult to tell if the scam was effective as it contained a web link which recipients were asked to click on and the University does not track browsing history.
The second scam, sent out on Sept. 9, claimed that recipients had been referred by the “Universities Educational Chamber
of Commerce” for a position paying $400 a week. The scam asked recipients to respond to the email with their phone number and personal email address. The email was sent to 1,744 recipients, and 15 people
The third scam was sent to 1,433 recipients on Sept. 20 by someone claiming to be a clinical counselor for the department of Disability of Health and Human Services (which does not exist at the University). The email also advertised a position paying $320 weekly for three hours of work. According to Interim Captain of PSafe Paul Verrillo, one student responded to the scam.
The fourth, which was sent to 758 recipients on Sept. 28, had two respondents. This email was sent from Professor of Economics, Emeritus Richard P. Adelstein’s University email account, which had been compromised by scammers. Like the other scams, the email advertised a research aide position paying $400 a week. Recipients were asked to respond to the email and provide their full name, phone number, and an alternative email address. Another round of the same research aide scam was sent out to 559 recipients on the morning of Oct. 1. One person responded to this round of the scam.
The University has also taken several steps to prevent email accounts from being compromised. They recently purchased a $13,500 multi-factor authentication system for faculty and staff emails from Duo Security, Inc. Currently, University email accounts only require single factor authentication—their password—to log in. An open pilot for the authentication system will begin in October and run through the end of the calendar year, possibly until January 2021. After this open pilot ends, the multi-factor authentication system will become mandatory for staff and strongly recommended for faculty.
Verrillo explained that if recipients do respond to the scammers, they are often asked to cash a forged check and then purchase gift cards from stores such as Walgreens, Best Buy, or Walmart to send to the scammer.
“When you buy a gift card and scratch off the back and send them the code on the back, that money is gone, they have the gift cards and they use them,” Verrillo said. “They usually buy things online right away, and that money’s gone.”
Verrillo also said that scam emails typically have a very low response rate.
However, this does not mean that the scams are unsuccessful.
“If one or two people respond, they’ve made a few thousand dollars,” Verrillo said.
To address these scam emails, the University’s Student Employment Office—in coordination with Bazeley and Gordon Career Center Director of Operations Rachel Munafo—is drafting a letter about legitimate employment opportunities that will be sent out to students later this week.
“We suspect that the people sending these phishing emails are attempting to capitalize on the increase in students attending schools remotely and seeking remote work-study positions,” Senior Assistant Director of Financial Aid Robyn Ewig, who is part of the team drafting the letter, wrote in an email to The Argus.
Verrillo, Bazeley, and Ewig explained that there are a number of things to look for to determine whether an employment
opportunity is legitimate or not. One red flag is if a potential employer asks you to buy gift cards or send money to them via Western Union before you start working for them. In both instances, if recipients do fall for the scams, it is near impossible for them to get their money back. Unlike real job offers, there are usually severe spelling and grammatical errors.
Typically—as was the case with the four scams mentioned above—scammers will also promise to pay you a large amount of
money for a small amount of work.
“Nobody’s really gonna pay you $100 an hour or $200 an hour for a couple of hours work,” Verrillo said.
Another red flag is if the scammer claims to have received a recipient’s name from a University professor or staff member.
“Nobody on campus is going to give out names,” Verrillo said. “They’re not going to recommend people for that. So I would really encourage people to—if it says it was from human resources or we got your name from your department chair or something like that—follow up with those people just to make sure.”
Like Verrillo, Bazeley also encouraged people to be wary about job offers that come through email.
“People need to be more skeptical of the internet,” Bazeley said.
If any students, faculty, or staff think they might have received a scam email they can email firstname.lastname@example.org to verify whether it is legitimate or not.
Claire Isenegger can be reached at email@example.com or on Twitter @claireisenegger.