Help Defeat Complex Email Scams

macbook pro on black textile with an internet browser in the process of opening GMail
(Image from Unsplash)

Imagine receiving an email from a professor or a colleague asking if you are interested in a job or an internship, perhaps right at the time when job-search stress is setting in. Now imagine you are the professor named in the email and you receive an email or call from a student about a job you never offered, a job that likely does not exist at all. Suddenly you both realize you are victims of a complex scam.

Unfortunately, this scenario is a very real one playing out at academic institutions across the country, including U-M. Through social engineering and email sleight of hand, scammers steal data, and sometimes money, from individuals and create tremendous headaches for companies and organizations. To defeat them, it’s important to understand the three key aspects of these schemes.

Employing Social Engineering

Social engineering uses old-fashioned confidence tricks with a digital twist. The scammer uses widely available public information to craft convincing messages offering easy rewards. To do this, the scammer will:

  • Impersonate real members of the institution, such as professors and administrators.
  • Target other members of the same institution, such as students and staff.
  • Offer something people want in return for little effort, such as an easy job with vague requirements.
  • Craft repeat messages to gather information and build false trust.

Hiding Scammer Identity

To further the illusion when impersonating a sender, the scammer will use some email tricks to hide who they are. These tricks include:

  • Creating email accounts that mimic real ones, such as rjonsen.umich.edu@gmail.com if the real professor’s address is rjonsen@umich.edu
  • Spoof names and addresses.
  • Use a “reply-to” address that goes to the scammer’s account instead of the real one.
  • Ask for replies to a “personal number” such as a cell phone.

Abusing Banking Processes

Watch out for scams that are trying to get you to send money. One of the most common is the request to purchase gift cards or prepaid credit cards. A more complicated method is for the scammer to send a check or e-check to the target, ask them to cash it, and then return part of the money, or use the money to buy and send gift cards or prepaid credit cards. Such check overpayment scams take advantage of your bank crediting you for the deposit, making it look like you received the funds. When your bank finds out the check was fake, you are left with the bill for the amount that was spent.

Here are some ways you can defeat social engineering tricks and expose complex scams:

Asking smart, simple questions. Is it likely someone would offer you a job without you applying for it? Would that professor or administrator normally contact you directly? Is the thing being offered just a little too easy or convenient? As in most things in life, if the offer sounds too good to be true, it likely is.

Checking the sender’s email address. Try hovering over email addresses or sender names to spot ones that are close but not exact matches, such as name.umich.edu@gmail.com. Look at the reply-to address to see if it’s different from the sender address: the sender name and address can be faked, but the scammer will have to use another address to get a reply.

Verifying the sender’s identity. The final word on defeating these scams is to always verify that senders are who they say they are, and can offer what they claim to offer. For folks at U-M, that means looking up the sender in MCommunity and then emailing or calling that person yourself without replying to the suspicious message. A little upfront effort could save you from falling for a scam, help alert the impersonated party of trouble, and protect you and the university.

You can report phishing and other email abuse at U-M to ITS Information Assurance (IA). IA is actively monitoring the U-M environment and publishing phishing alerts that are active in our community. See phishing alerts and subscribe to the IA Phishing Alert RSS feed on Safe Computing.