There will likely never come a day when the online world is completely free from criminals, hackers and thieves. The best you can do is learn to recognize their tactics so you don't become a victim of things like:
- Credit card theft
- Pop-up ads that install spyware to capture your personal information
- Phishing sites posing as the real thing to lure you into their scams
- Spam emails, instant messages, and bogus Web sites that deliver spyware to your computer and compromise your computer security
- Loan fraud, mortgage fraud, lines-of-credit fraud, credit card fraud, commodities and services frauds that exploit consumers' credit worthiness
Scammers are getting increasingly good at making their email messages look legit. It can be difficult to distinguish a real message from a dangerous fake. Here are some simple things you can do to protect yourself from phishers who are out to steal your identity, your money or your security:
- Learn how to tell the difference between a legitimate company URL and an imposter.
- Mouse over all links before you click on them. Hover over the link, and you should see the actual URL displayed either next to your mouse arrow or in a corner of the window. If the actual URL isn't one that you recognize and trust, don't click! Even if the rest of the email looks legitimate. Never click on unknown email links.
- Pay attention to an email's 'Reply To' address. Even if the email seems to be from someone you know, look at the actual address.
- Never click on links to web logins. Instead, open a new browser window and type the company's address yourself.
- Beware of scare tactics informing you of account revalidation processes or quota limits. Most online services will never ask for your username and password by email.
- Don't fall for enticing 'Prize Winnings,' 'Purchase Order' or 'Work Opportunity' scams. You are not the 999,999th visitor.
Business Email Compromise Attacks (BEC)
A BEC is a highly focused phishing attack in which a cyber criminal impersonates a company's excutive in an attempt to get an employee, customer or vendor to transfer funds or sensitive information. The criminal will often study recent company news or research employees on social media in order to craft a very convincing message, making it harder for spam filters (and victims) to spot the fake.
BEC attacks can come from an email account that has been successfully phished, or it could come from a lookalike domain that is one or two letters different than the real address. These urgent requests usually appeal for money or sensitive data.
Always double-check before sending money or data, no matter who the email is from or how important the request seems.
For more information go to www.ic3.gov/media/2018/180611.
Bitcoin Blackmail/Extortion Scams
Beware of emails from individuals who claim to have compromising information on you and demand payment in Bitcoin (or any cryptocurrency). The scammer may say he has video of you from your webcam, or links to naughty sites he says you visited. He may even present you with one of your old passwords as "proof" (which he likely got from an old data breach). And he may threaten to send this embarrassing information to everyone in your contact list if you don't pay up.
It's a scam. Don't pay the ransom. Of course, if you still use the password that's presented, definitely stopo using that password and change it immediately. But do not respond to the email in any way.
Gift Card Scams
Special situations (like pandemics, current events or holidays) give attackers an additional opportunity to attempt scams. At ODU, attackers have recently imitated people we know, created fake email accounts and sent messages to solicit personal information. Here's an example of how it could be done:
Let's say Big Blue works in ITS. An attacker might create an email account like firstname.lastname@example.org, find a list of ITS employees on our website, then email those employees asking for their personal phone numbers. Big Blue's co-workers recognize his name and respond, not knowing they're giving personal information to a stranger.
Once the attacker has the cell phone numbers, the employees start to receive text messages about an urgent issue that requires payment in gift cards. It's a scam. And because the original emails don't contain malware, there is no way for us to systemically detect them as scams.
To protect yourself, always verify the identity of anyone you send personal information to, and never pay anyone in gift cards.
If you fall victim to a scam, open a police report with the ODU Police (email@example.com or 683-4000). You can also file an FBI complaint at the Internet Crime Complaint Center, www.IC3.gov . If you accidentally click on a suspicious link or think you might have been infected with malware, contact the ITS Help Desk.
Other Forms of Social Engineering
Social Engineering is a psychological attack in which an attacker tricks people into making mistakes in handing over their personal information.
An attacker creates a plausible fabricated story in order to increase the chances of gaining information or causing an undesirable action.
Defense: Go straight to the true source. If an email that appears to be from a co-worker seems suspicious, verify it directly with the individual outside of email.
A targeted phishing attack designed to trick an individual versus a broad audience. The attacker usually does research on a company's web site and then references current events or initiatives at that company to trick an employee.
Defense: Even if a message appears to be from a co-worker or other trusted associate, pause before taking an urgently requested action. Look for any indicators that something isn't right - maybe the "from:" address is one you have never seen, or the manner of communicating is a bit different than usual.
An attacker uses a false promise or incentive - loan forgiveness, a salary study, free music, or inside information - as bait to trick a recipient into opening a malicious document or website.
Defense: Do not open a document or click on a URL in an email unless you are absolutely certain that it came from a trusted source with legitimate purpose.
Quid Pro Quo
The promise of some benefit in exchange for information or an action. One common approach is to impersonate an IT support person who promises some support benefit in exchange for a password, executing an attachment or disabling anti-virus.
Defense: Similar to baiting, verify the source before performing the request.
An attack in which a targeted individual or group is directed to a trusted website that has been compromised (or maybe an advertisement on the site has been compromised) in a way that injects malware onto the targeted individuals computer.
Defense: In addition to the usual precautions of not responding to suspicious email, make sure your operating system, web browser and applications are all patched and up to date, and enable anti-virus or endpoint protection that can detect when malicious software attempts to download or execute.
The use of malicious software that poses as an anti-virus or a malware removal kit, often after a false claim that malware has been detected, causing a target to react out of fear.
Defense: Anti-virus or endpoint protection can increase confidence and lower the likelihood of falling victim to a rogue attack.
Tips to avoid social engineering schemes:
- Do not open emails, open attachments or follow URLs in emails from untrusted sources. If anything seems out of the ordinary or unlike the supposed sender in any way, contact the person directly, outside of email, to verify the source.
- Do not trust offers from strangers. If an offer seems too good to be true, it probably is.
- Follow safe computing practices and good computing hygiene.
Spyware used for identity theft can be the most harmful and difficult type of spyware to remove. There are a few things you can do to protect yourself:
- Continually check the accuracy of personal documents and deal with any discrepancies right away.
- Practice safe email protocol:
- Don't open messages from unknown senders.
- Immediately delete messages you suspect to be spam.
- Avoid free software.
- Get the latest Windows patches.
- Use public computers with extreme caution.
- Beware of peer-to-peer file sharing services.
- Use anti-virus protection and a firewall.
- Get anti-spyware software protection.
Scams That Target Universities
The Internet Crime Complaint Center (IC3) is aware of multiple scams targeting universities, university employees and students across the nation. The scams range from Internet fraud to intrusions. The following are common scenarios:
- Spear phishing emails are being sent to university employees that appear to be from their employer. The emails claims some type of issue has arisen requiring them to enter their login credentials. Once employees provide their user name and password, the perpetrator accesses the university's computer system to redirect the employees' payroll allocation to another bank account.
- Scammers are posting online advertisements soliciting college students for administrative positions for which they would receive checks by mail or email. Students are directed to deposit the checks into their accounts, and then print checks or wire money to an individual. Students are never asked to provide their bank account information to the perpetrators. (More information here.)
- Perpetrators are compromising students' credentials resulting in the rerouting of their reimbursement money to other bank accounts. The reimbursement money is from student loans and used to pay tuition, books and living expenses.
- Perpetrators are obtaining professors' personally identifiable information and using it to file fraudulent income tax returns.
- Some universities have been victims of intrusions, resulting in the perpetrators being able to access university databases containing information on their employees and students.
If you have been a victim of one of these scams or any other Internet-related scam, file a complaint with the ODU Police Department at firstname.lastname@example.org.
You can also file a complaint and find additional information at the FBI's Internet Crime Complaint Center: www.ic3.gov.
Be aware and watch out for job scams. Talk with a career advisor through Career Development Services to learn effective job search techniques, and use Careers4Monarchs Link to search for jobs that have been vetted for ODU students.
Be aware of job offers or internships that are "too good to be true," using common sense. If you receive a job opportunity through your ODU email account and...
- the company name does not match the email address
- you are offered a large amount for little or no work
- you are offered a job without ever interacting with the offerer
- you are asked to transfer money from one account to another
- you are offered a check before you do any work
- you are asked for your credit card, bank account, or copies of personal documents
- you are required to send any payment by wire service or courier
- you are offered payment in exchange for use of your bank account (often for depositing checks or transferring money)
- you receive a large check unexpectedly
...then it's probably is a job scam!
If you have been a victim of one of these scams or any other Internet-related scam, file a complaint with the ODU Police Department at email@example.com. Official ODU Career support can be found at www.odu.edu/success/careers.
The FBI has more information about how employment scams work: https://www.ic3.gov/media/2017/170118.aspx
You've worked hard your entire college career. Your grades are outstanding, and you receive an invitation (maybe several!) to join what looks to be a prestigious honor society. But how can you tell the difference between an organization that seeks to recognize your hard work and one that seeks to separate you from your hard-earned money?
USA Today has some tips:
- Most legitimate honor societies are certified by the Association of Collegiate Honor Societies
- Investigate the honor society's lineage. If it has a long, well-documented history, it's probably legit.
- If the organization is for-profit instead of nonprofit, that's a red flag.
- Remember: Many older and prestigious honor societies don't send out invitations until the end of junior or senior year.
Learn more here.
University staff members have reported receiving phone calls from an individual claiming to be from an IT/printer vendor or IT/Helpdesk office. The caller subsequently tries to gain the user's trust through conversation.
The end-user is coerced into providing department device information, or directed to make changes to their desktop system. The goal of the caller is to gain access to machines or to be able to submit a fraudulent invoice to the department with the information collected.
What can you do?
Tips for identifying this Scam include:
- The originating calling number is non-ODU.
- The caller claims to be from ITS security, the ITS help desk or a printer vendor.
- The caller tries to take control of the conversation by constantly asking questions, and does not allow you to question his motives.
- The caller may have you visit non-ODU sites or provide system or printer information in an attempt to download or install malicious software. The information provided could also be used to send fraudulent invoices to the University.
Do not provide additional information to any callers about your office environment. Information such as names, positions and job roles could be used to make future scam attempts more convincing and successful.
If you receive a call from a non-ODU phone number claiming to be the help desk, ITS or a printer vendor, kindly request that they call back to the help desk number, (757) 683-3192.
If the individual hangs up please report the issue to the ITS Help Desk at (757) 683-3192.
The FBI Norfolk Division is warning consumers to be on alert for a phone scam, primarily targeting college students, in which the incoming call shows up on caller ID as an FBI phone number.
The FBI has received multiple complaints from students at various colleges and universities alerting to a phone scam in which someone claiming to represent the U.S. government threatens to arrest them if they fail to pay thousands of dollars. In each case, the threats are associated with false claims ranging from money owed for student loans to delinquent taxes and overdue parking tickets.
During each attempt the caller has claimed to have specific student information in order to obtain personally identifiable information, and the originating number appears on students' caller ID as the phone number for a local FBI field office.
The public is reminded that the FBI does not call private citizens requesting money, and citizens should never provide sensitive, personal or financial information to unsolicited callers.
Anyone who receives these calls is advised to disconnect immediately and notify the FBI by filing a complaint online through the FBI's Internet Crime Complaint Center at www.IC3.gov/complaint.