New phishing scheme found in student and faculty inboxes
April 6, 2023
After a much-anticipated break, the semester is once again beginning to ramp up, but so is a new phishing scheme. No, not catching fish in a pond; rather, a set of scam emails from what seem to be legitimate company or university addresses, but are actually from compromised or spoofed accounts.
In an attempt to better inform the student body of these new scams, Library and IT Client Support Specialist Rob Guissanie emailed students last week on March 21 warning of emails offering fake, high-paying, remote job opportunities and others offering fake checks which must be cashed immediately. While the text of these emails can be quite convincing, they are “highly likely” to be scams according to Guissanie.
There have been an increasing number of emails regarding phishing and other scams over the past semester after a number of Bucknell accounts became compromised around the start of the academic year. Since then, the trend has not slowed; according to Information Security Program Manager Brandon Seymore, “these scammers are very smart.”
They know what to say and how to say it in order to trick students into giving up some of their most personal information, but it is not just students they are targeting. Scammers today are finding it increasingly easy to target universities and companies at all levels. Seymour revealed that scammers often use “external compromised accounts” to contact student under the guise of recognizable faculty, staff, or administration, and are mostly motivated by the concept of taking your money. These are often called “Impersonation” and/or “Money Mule” scams, respectively. What is interesting with this is that Google will alert a user if they receive an email from an external source that it might be a scam.
The biggest issue Library and Information Technology (L&IT) specialists are facing with these scams is that people continue to fall for them despite the plethora of warnings they have been sending out all year. Currently, L&IT staff have been discussing the feasibility of launching a cybersecurity awareness training program for the student community on campus. They did just this for faculty and staff on April 3, but further dissemination of this program will require greater consideration of what is and is not necessary to iterate to the student body.
For now, the biggest tip L&IT staff such as Seymore wants the community to know is, “university and company credentials are worth more to scammers now than a social security number” because they are easier to obtain in larger quantities, check they addresses of the emails you are receiving, do not approve a Duo push notification that you did not initiate, and hover over links first to make sure they are legit and will take you to the expected website. If an email asks for your password, your birthday, your banks information, or any other non-public personal information, pause and think about whether that email could actually be a scam. And if you are ever questioning the validity of any email you receive, as Technology Support Specialist Alison Morse says, “come to the Tech Desk,” they would be more than happy to help you out.