According to a public service announcement issued by the FBI, college students across the United States continue to be targeted in a common email phishing scam that lures students in with the promise of employment.
It works like this: email Scammers advertise phony job opportunities on college employment websites or students receive emails on their student accounts recruiting them for fictitious positions. If a student responds and shows interest, they are informed that certain supplies or software will need to be purchased before the job can commence. The scammer then sends the student a check to cover the required materials with instructions to deposit the check into their personal bank account. After depositing the check, the student is instructed to wire funds to a “vendor” for the materials necessary to start work. Sounds good, right?
Unknown to the college student, the check is no good. After the check is deposited, the money shows up in the student’s account, but that doesn’t mean the check has actually cleared. It can take several days or even longer for a check to clear, but most banks will make the funds available much sooner. Believing that all is well, the student will wire the funds as instructed for the required materials, which, of course, never show up.
Then comes the bad part. When the bank finds out that the check is bad they come after the student for the funds they spent. Unwittingly, the student has sent funds directly to the scammer with money they never had.
Here are two real employment email phishing scam examples from the FBI’s public service announcement:
“You will need some materials/software and also a time tracker to commence your training and orientation and also you need the software to get started with work. The funds for the software will be provided for you by the company via check. Make sure you use them as instructed for the software and I will refer you to the vendor you are to purchase them from.”
“Enclosed is your first check. Please cash the check, take $300 out as your pay, and send the rest to the vendor for supplies.”
The social engineering scam targeting college students continues to be widespread. As part of a study, ID Agent, a firm that monitors the dark web, reviewed the email domains for the top 300 higher education institutions in the Unites States. The researchers then determined which schools had the highest number of stolen email accounts—from faculty, staff, students and alumni—available to cyber criminals on the dark web. Researchers participating in the study reported having found nearly 14 million email addresses and passwords belonging to people affiliated with US colleges and universities—nearly 80% of which were discovered over the last 12 months alone.
Where were those accounts from? Large Midwestern schools, mostly. The University of Michigan topped the list, followed by Penn State, Minnesota, Michigan State, Ohio State, the University of Illinois, New York University, the University of Florida, Virginia Tech and Harvard.
To protect from this type of email fraud, the University of Colorado offers the following advice to its students:
- Never give out personal information like your social security or bank account number over email or phone.
- Never take a check (even a cashier’s check!) or money order as a form of payment. Fake checks are common and the bank where you cash it will hold you accountable.
- Never cash a check that comes with “extra” money. Scammers send checks that require you to deposit a check at your bank, withdraw the “extra” money as cash, and then deposit that cash elsewhere. The check will bounce and you will be held accountable.
- Never wire funds via Western Union, MoneyGram or any other service. Anyone who asks you to wire money is a scammer.
- Never apply for jobs listed by someone far away or in another country.
- Never agree to a background check unless you have met the employer in person.
- Never apply for a job that is emailed to you out of the blue.
- Be skeptical. If a job is offering a lot of money for very little work, it could be a scammer trying to get personal information from you.
- Research the employer. Do they have a reputable website or professional references? Is the job listing you want to apply for also on their main career page? Note: work-study jobs may not be advertised on employer websites.
- Meet face-to-face with a potential employer. An in-person interview or informal chat over coffee will help you determine the employer’s intentions.
- Be sure to choose a public place to meet, tell someone where you are going and bring your cell phone, just in case.
- Trust your instincts. If a job sounds too good to be true, it is likely a scam.
- If you suspect a scam, report it to the FBI or your campus police department.
Agari’s Email Trust Platform, deployed by Fortune 1000 companies and government agencies, is the only solution that effectively stops phishing by identifying the true sender of emails. Agari’s proprietary analytics engine and email telemetry network provide unparalleled visibility into over 2 trillion emails every year across 3 billion mailboxes. This insight drives the company’s Trust Analytics machine learning engine, which uniquely enables enterprises to stop phishing attacks against their employees, students and customers.