“Call Information Technology Services. Don’t get down on yourself. Don’t be embarrassed. Scammers have gotten savvy and sophisticated. We are way past the Nigerian Prince emails from the past,” says ITS Director of Security, Infrastructure and Operations Joseph Lubomirski, referring to the advance-fee scam that originated in the 1990s. “Now scammers do this type of thing in an organized way. It’s no longer someone sitting in a basement — these are people in corporate offices looking for ways to trick us. Looking at patterns, phishing emails slow down during holidays and long weekends. People are doing this as their 9-to-5 job.”
Lubomirski says the UM-Dearborn community is specifically being targeted by hackers and are sending out professional-looking messages with real U-M employee names.
Recent scam emails, which appeared to be from a U-M health services department, told recipients they’d been exposed to a contagious virus by a colleague. It prompted readers to click on a link , which asked for university credentials including the Duo passcode. Scammers stole information and money. Lubomirski says the first attack happened over the summer and the second occurred earlier this week.
“Some people did report these and we were able to go in and fix the problem, thanks to their reporting,” Lubomirski says, noting that the university financially supported the employees who had their paychecks stolen from the first virus-related scam; no one got phished during the second attack. “As another academic year begins, we want the campus community to be aware of what is happening on our campus and to know what to do if you get a phish.”
Here are a few things Lubomirski says to look for and what to do if you’ve been caught by a phish.
Check the email address.
If you get an email that requests an action that seems a little off, check to see the email. Even if the name is familiar, the email address might not be. “We are not sending stuff from gmail.com for U-M business. If that umich.edu is not there, it is not legit,” Lubomirski says. And if you see a umich.edu address and you aren’t sure if you should respond, Lubomirski has a suggestion. “Instead of hitting reply, start a new email and type in the sender’s name. The U-M email address bar will pull up their information. Then you can see if the request was legitimate. Colleagues aren’t going to be upset that you checked to make sure you’re keeping information safe.”
Lubomirski says someone recently reached out to him from U-M Shared Services when Lubomirski’s email was spoofed. A person posing as him emailed an invoice to Shared Services, asking for payment for an anti-virus software product. “Shared Services was suspicious since that’s not the process for paying invoices and reached out to me. I explained that I didn’t send it,” he says. “Someone created a Geek Squad invoice for $300 and tried to pass it off like I was sending it over to get it paid. It was a real company with a believable amount. So these emails are no longer using the red flag $1 million amount like in the Nigerian Prince scheme. They are getting good at what they do.”
The university won’t ask for information it already has on file.
U-M will not reach out to you to give or confirm information. “It’s not how U-M business is conducted,” Lubomirski says. “And if you are being asked for information, remember that a U-M employee isn’t going to ask you for things that U-M already knows. If we need to confirm your identity, we will not ask you for your password or Duo passcode.”
Instead, there’s a different process in place. “Anytime we need you to prove who you are, we will send a Duo push to your phone to verify,” Lubomirski explains.
Be wary of emails that request immediate action.
A constant with phishing emails is the urgency of them. There’s a psychological reason for this, Lubomirski says. “If there is an urgency there, we don’t have the time to think that this might be bad. These messages prey upon our weaknesses as humans.” Phishing requests often include gift card needs from a supervisor or a required immediate payment to keep a service.
Lubomirski says the recent virus-contact phish also used a different motivating factor: fear. “People are still worried, don’t want to infect others and want information to help us all stay healthy, so they clicked the link quickly,” he says. “If that feeling of immediacy wasn’t there and they checked first, recipients would have noticed that an incorrect title was used and there isn’t a health center at UM-Dearborn. These emails push us to respond quickly so that we don’t take time to look over the details,” he says.
Phone call and text scams are on the rise.
So what’s next? Lubomirski says calls and texts are the next frontier. For example, a text may direct someone to a website or number to call. The website may look legit, but Lubomirski encourages people to do a little digging before giving information or money. “They are setting up websites to make the scams more believable. Your best bet is to end the call if you are on the phone and call the person or company back at a verified number. If it is a text with a link, avoid clicking the link and do your own browser search. If you are unsure of the source, cut off the original communication stream and start a new one. That way you know who you are talking with.”
If you think you’ve been phished, report it.
This one might seem painful, but Lubomirski wants to emphasize that there isn’t a reason to feel shame if you occasionally get caught by a phish: “I promise there’s no ITS naughty list. These people are great at what they do and we know that. And the only way we can protect you and our campus is to know when these things happen. We’ll coach you through it.”
Here are three ways to get help.
Story by Sarah Tuxbury.