In an age almost completely run by technology, it is important to learn how to stay safe, especially in an educational context where students use technology for almost everything.
Over the past few weeks, the university has become subject to email phishing. Email phishing is where “a target is contacted by email, telephone or text message by someone posing as a close personal contact or on behalf of a legitimate institution,” according to the telecommunications company Verizon. “The objective is to get people to reveal sensitive data such as their account numbers, home address, banking/credit card details and usernames/passwords.”
According to Annette Short, the university’s Director of IT Operations, the first phishing scams happened during the week of Oct. 9: “Bad actors, posing as members of Capital University law enforcement, contacted students or their parents to coerce them into giving them money.”
Short reminded students that legitimate law enforcement agencies would never call and threaten them with arrest for money.
During the week of Oct. 22, a mobile check scam occurred, this time in the form of both emails and text messages. According to Short, the sources of these emails claimed to be employees in the departments of Career Services, Human Resources and the president of the university.
“Again, the scam may have some variations,” said Short. “However, the goal of this scam includes unsolicited telephone calls, texts and/or email messages under false pretenses for financial gain.”
These emails usually “involve the receipt of a mobile e-check which is to be deposited into the victim’s bank account. The e-check will always include an extensive overpayment amount. After the victim deposits the fake check into their account, the bad actor will request the victim to immediately return the overpayment amount back to them via wire transfer, cashier’s check or money order.”
Most students who received these emails were aware of the items that targeted them to be phishing emails, but one student unknowingly deposited a fake e-check into their account and sent this money back to the scammer. The student was advised to contact their bank immediately to intercept the transfer of money and to make a police report.
The IT department has already begun taking measures to ensure these phishing scams don’t happen again. These measures include changing passwords, resetting multi-factor authentication settings and assisting students with investigations into phishing scams.
The university’s IT team uses a spam filter server, Barracuda, that filters out “thousands of spam messages per day, before they are distributed to individual user accounts.” The few emails that slip through Barracuda’s cracks are because they are coming from compromised “capital.edu” email addresses.
Short provided a list of ways to identify scam emails:
- Carefully examine the “from” email address to see if it matches the company or person it claims to be from.
- Check for obvious grammatical errors or typos, which are common in scam emails.
- Be wary of emails that create a sense of urgency, demanding immediate action or threatening consequences if you don’t respond quickly.
- Hover your mouse over links in the email to see the actual URL; if it looks different from the expected website, it could be a scam.
- Emails starting with “Dear Customer” or “Dear User” without a personalized name are often red flags.
- Personal information requests are always a red flag. Legitimate companies rarely ask for sensitive information like passwords or credit card numbers through email.
- Be cautious of unexpected attachments from unknown senders.
- If the sender is not someone you’ve met at a job fair or related to a job for which you’ve applied, you should automatically be cautious about the legitimacy. If you are communicating with someone you’ve never met in person or a company with no online information who is asking for your information, it’s most likely a scam.
If the bad actor is claiming to be from a Capital University employee, check to ensure the sending address is an @capital.edu address. If not, do not engage and terminate all communication immediately. You should also contact the Capital employee directly on campus.
