According to a public service announcement issued by the FBI, college students across the United States continue to be targeted in a common email phishing scam that lures students in with the promise of employment.
It works like this: email Scammers advertise phony job opportunities on college employment websites or students receive emails on their student accounts recruiting them for fictitious positions. If a student responds and shows interest, they are informed that certain supplies or software will need to be purchased before the job can commence. The scammer then sends the student a check to cover the required materials with instructions to deposit the check into their personal bank account. After depositing the check, the student is instructed to wire funds to a “vendor” for the materials necessary to start work. Sounds good, right?
Unknown to the college student, the check is no good. After the check is deposited, the money shows up in the student’s account, but that doesn’t mean the check has actually cleared. It can take several days or even longer for a check to clear, but most banks will make the funds available much sooner. Believing that all is well, the student will wire the funds as instructed for the required materials, which, of course, never show up.
Then comes the bad part. When the bank finds out that the check is bad they come after the student for the funds they spent. Unwittingly, the student has sent funds directly to the scammer with money they never had.
Here are two real employment email phishing scam examples from the FBI’s public service announcement:
“You will need some materials/software and also a time tracker to commence your training and orientation and also you need the software to get started with work. The funds for the software will be provided for you by the company via check. Make sure you use them as instructed for the software and I will refer you to the vendor you are to purchase them from.”
“Enclosed is your first check. Please cash the check, take $300 out as your pay, and send the rest to the vendor for supplies.”
The social engineering scam targeting college students continues to be widespread. As part of a study, ID Agent, a firm that monitors the dark web, reviewed the email domains for the top 300 higher education institutions in the Unites States. The researchers then determined which schools had the highest number of stolen email accounts—from faculty, staff, students and alumni—available to cyber criminals on the dark web. Researchers participating in the study reported having found nearly 14 million email addresses and passwords belonging to people affiliated with US colleges and universities—nearly 80% of which were discovered over the last 12 months alone.
Where were those accounts from? Large Midwestern schools, mostly. The University of Michigan topped the list, followed by Penn State, Minnesota, Michigan State, Ohio State, the University of Illinois, New York University, the University of Florida, Virginia Tech and Harvard.
To protect from this type of email fraud, the University of Colorado offers the following advice to its students:
Agari’s Email Trust Platform, deployed by Fortune 1000 companies and government agencies, is the only solution that effectively stops phishing by identifying the true sender of emails. Agari’s proprietary analytics engine and email telemetry network provide unparalleled visibility into over 2 trillion emails every year across 3 billion mailboxes. This insight drives the company’s Trust Analytics machine learning engine, which uniquely enables enterprises to stop phishing attacks against their employees, students and customers.
[button link=”https://www.agari.com/social-engineering/” color=”orange”] Learn More About Social Engineering[/button]