How to Avoid Common Phishing Scams
Service Advisory: Uptick in Phishing Emails Impersonating New York Institute of Technology Employees
As we make our way to the end of the fall semester and the holiday break, we would like to remind you to be diligent in watching for phishing emails. Over the past several weeks, Service Central has been notified by a number of faculty and staff members who have received messages from senders that are impersonating managers, deans, athletic director/coaches, and supervisors – even the president. This is a practice known as “spoofing.” Different versions of these emails ask the recipient to:
- Quickly arrange for a gift card purchase for an athletic recruit, or prospective student, or to cover a university expense
- Make an immediate wire transfer to an unfamiliar account
- Pay an online invoice
Typically the FROM address shows the name of a New York Tech manager, department chair, or dean, along with an unfamiliar email address. Sometimes the address itself is forged and looks like a real nyit.edu address. The SUBJECT may be a generic request for help (for example, "Quick Task,” “Are you available,” "Urgent request") or an invoice number. The body of the email may be something as simple as “Are you free? I’m heading into a meeting and cannot accept a phone call” or “Can you text me at xxx-xxx-xxxx” to something a little more descriptive such as “I need you to help me get iTunes gift cards from the store. I’ll reimburse you when I get back to the office.”
In all cases, the request is deemed as urgent and the intent is to make it appear that someone at New York Institute of Technology in a position of authority is directing you to complete a university or personal task via email. By responding, you risk theft, malware, and account compromise.
Email Phishing Scams
New York Institute of Technology’s IT department estimates it catches 150 virus emails and 20,000 spam messages daily. Even so, phishing emails (social engineering attacks to dupe you out of personal information) often make their way into nyit.edu email inboxes. Phishing “bait” can come in the form of instant messages, false ads on web pages, and other forms of electronic communication. The following information can help guard you against potential attacks.
How do Scammers Get Our Names and Email Addresses?
New York Institute of Technology publishes contact information on many college, school, department, and unit websites. Scammers can easily find organizational web pages with contact addresses, publicly-visible email groups that contain names and email addresses, and postings on social networks with names and addresses. They then set up free email accounts using those names and send to the groups they found online.
What You Can Do
- Be suspicious of communications with urgent, unfamiliar requests. Review the sending email address closely to see whether it is a nyit.edu address. Always check with the apparent sender by phone call, chat, or in-person if you are at all unsure of an email. Do not reply to the request itself.
- Ignore any request for payment via gift card. "Anyone who demands payment by gift card is always, always, always a scammer," according to the Federal Trade Commission (FTC). "Gift cards are for gifts, not payments."
- Verify unusual requests for money (via wire transfer, gift card, or other means) from your supervisor or leadership before acting.
- Don't open unexpected attachments or shared documents. Scammers frequently send emails that appear to be from someone you know to trick you into an action that will lead to infecting your computer with malware.
- Report emails impersonating people at New York Tech by sending them to firstname.lastname@example.org. Send the email as an attachment vs. forwarding if possible.
- Report compromise. If you suspect you fell for a scam or your account was compromised, change your password immediately and contact Service Central at email@example.com or via phone at 516-686-1400.
- And remember: We will NEVER ask you to reset your password via a link sent in an email.
Other Ways to Combat Online Theft of Information
- If an email from a company contains misspellings, it usually is a scam: delete it.
- Never give out personal, financial, or other sensitive information to just anyone who requests it.
- Be suspicious of email that requests sensitive information
- Never click on links embedded in an email that seems to come from a bank, financial institution or e-commerce vendor.
- Do not fill in forms attached to an email that ask for sensitive information.
- Never give out bank or account information without checking with the financial institution or at least ensuring that all URLs start with HTTPS.
- When in doubt, check! If you doubt the authenticity of a message, check directly with the institution.
- At first glance, this email looks fine but take a closer look--don’t be duped:
Common Phishing Tactics
- Email Spoofing: The forgery of an email name/address so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a popular tactic used in phishing and spam campaigns because people are more likely to open an email when they think it has been sent by a legitimate or familiar source. The goal of email spoofing is to get recipients to open and/or respond to an urgent request. Do not respond to unusual requests. Always contact the person the email is allegedly coming from via phone or in person if you are unsure.
- Spear Phishing: A type of email spoofing that targets a specific individual. Spear phishing messages appear to come from a trusted source within the recipient’s own organization - generally, someone in a position of authority -- or from someone the recipient knows personally. Even if the sender appears to know you, never provide account information/passwords via email. Also, do not reply to the message; instead forward the message to a known email address of the person you think the message is coming from (e.g., an nyit.edu email address).
- Pharming Phish: A hijacked website domain name redirects you to an impostor site to steal information or online payments. “SECURE” or “HTTPS” in the web address box and/or browser indicates protected sites.
- Google Docs/ Dropbox Phishing: Web page(s) that mimic these sites and request your login credentials. By enabling a 2-step verification for these services, you can avoid this type of scam.
- Tech Support Scams: A “technical support” email requesting you to click on a link to enter your login information to avoid an interruption of service. Tech support members always request to talk with you before asking for access to your system.
- Infected Attachments: It’s simple—NEVER, EVER, EVER—we really mean NEVER—click on an attachment with an .exe extension or any attachment from someone you do not know.
Service Central will continue to update this web page offering information about common phishing tactics and best practices to avoid these scams. For more information, or to report any suspicious activity, please email Service Central at firstname.lastname@example.org or call us at 516.686.1400.
For More Information, Refer to these Resources:
- Phishing Scheme Targets Professors’ Desire to Please Their Deans — All for $500 in Gift Cards. (Chronicle of Higher Ed, 1/23/2019)
- Beware of Growing Scam Involving Gift Cards. (CBS, 12/26/18)
- Scammers Increasingly Demand Payment by Gift Card. (FTC, 10/16/18)
- SCAM OF THE WEEK: "The Boss Needs iTunes Gift Cards for Customers... NOW." (KnowBe4 Security Awareness Training Blog, 9/12/18)
- Asked to Pay by Gift Card? Don’t. (FTC, 5/31/18)