MSUToday
Published: July 7, 2020

New phishing scam targets college communities

Contact(s): Ri'An Jackson University Communications jack1432@msu.edu, Dan Olsen University Communications office: 517-884-8675 olsenda2@msu.edu

Watch out for suspicious emails — a new phishing scam is targeting college communities across the country.

Phishing, a cyber-attack used to con victims into releasing personal information like usernames, passwords and credit card details, poses a major threat to many people and businesses. In fact, 64% of organizations experienced a phishing attack in 2018.

Phishing can result in identity theft, financial losses, locked accounts and spam emails.

Phishers trick victims into disclosing credentials or sending money by impersonating trusted entities and creating fake email addresses, links and attachments.

And in this phishing scam, cybercriminals are targeting university students, staff, faculty and alumni as well as university donors by creating fraudulent Gmail accounts in the guise of the school’s president.

“They’re emailing — starting out a conversation. They’re trying to build a rapport, and then they will ask for money or gift cards,” says Daniel Ayala, MSU’s Interim Chief Information Security Officer.

Victims may be swindled by a familiar name or email address or may believe a fake story crafted by the scammers. They don’t know the president well enough to be able to call and verify requests made in the phishing emails — so they are duped into giving money or personal information to criminals, said Ayala.

“Human nature is to want to help, and [scammers] know that people are often afraid to ask people in authority,” he said.

It’s crucial to keep a close eye on all email addresses and domains to prevent a phishing attack. Phishers can create copycat email addresses that can be difficult to identify with a glance.

“Look closely at the sender email address. And don’t just look at the name,” said Ayala. “Look at the actual address because that’s the real deal — I can make the name say anything I want. If somebody is asking you for information, for money services, check to make sure the email address is legitimate and call to verify if you have any questions.”

Suspicious links and attachments are also used to deceive victims and should not be opened if sent from unknown sources. If there are links in an email, first identify where it goes, says Ayala. “If it goes to a domain that you don’t trust, don’t click on it.”

Other red flags of phishing emails could be typos as well as strange or vague wording, unusual requests for money or personal information or writing with a sense of urgency.

Although there are spam filters that remove many phishing emails, cybercriminals have been able to get past them by using new techniques that are difficult to automatically detect.

If you think you may be receiving phishing emails, visit https://secureit.msu.edu/phishing/.