An email shows up from a person you know requesting your help in some way. Or offering help to you. There鈥檚 a link, you click, and there鈥檚 a request for money and confidential information.
Then instinct kicks in 鈥 something doesn鈥檛 seem right. What do you do next?
鈥淐补濒濒&苍产蝉辫;Information Technology Services. Don鈥檛 get down on yourself. Don鈥檛 be embarrassed. Scammers have gotten savvy and sophisticated. We are way past the Nigerian Prince emails from the past,鈥 says ITS Director of Security, Infrastructure and Operations Joseph Lubomirski, referring to the advance-fee scam that originated in the 1990s. 鈥淣ow scammers do this type of thing in an organized way. It鈥檚 no longer someone sitting in a basement 鈥 these are people in corporate offices looking for ways to trick us. Looking at patterns, phishing emails slow down during holidays and long weekends. People are doing this as their 9-to-5 job.鈥
Lubomirski says the UM-Dearborn community is specifically being targeted by hackers and are sending out professional-looking messages with real U-M employee names.
Recent scam emails, which appeared to be from a U-M health services department, told recipients they鈥檇 been exposed to a contagious virus by a colleague. It prompted readers to click on a link , which asked for university credentials including the Duo passcode. Scammers stole information and money. Lubomirski says the first attack happened over the summer and the second occurred earlier this week.
鈥淪ome people did report these and we were able to go in and fix the problem, thanks to their reporting,鈥 Lubomirski says, noting that the university financially supported the employees who had their paychecks stolen from the first virus-related scam; no one got phished during the second attack. 鈥淎s another academic year begins, we want the campus community to be aware of what is happening on our campus and to know what to do if you get a phish.鈥
Here are a few things Lubomirski says to look for and what to do if you鈥檝e been caught by a phish.
If you get an email that requests an action that seems a little off, check to see the email. Even if the name is familiar, the email address might not be. 鈥淲e are not sending stuff from gmail.com for U-M business. If that umich.edu is not there, it is not legit,鈥 Lubomirski says. And if you see a umich.edu address and you aren鈥檛 sure if you should respond, Lubomirski has a suggestion. 鈥淚nstead of hitting reply, start a new email and type in the sender鈥檚 name. The U-M email address bar will pull up their information. Then you can see if the request was legitimate. Colleagues aren鈥檛 going to be upset that you checked to make sure you鈥檙e keeping information safe.鈥
Lubomirski says someone recently reached out to him from U-M Shared Services when Lubomirski鈥檚 email was spoofed. A person posing as him emailed an invoice to Shared Services, asking for payment for an anti-virus software product. 鈥淪hared Services was suspicious since that鈥檚 not the process for paying invoices and reached out to me. I explained that I didn鈥檛 send it,鈥 he says. 鈥淪omeone created a Geek Squad invoice for $300 and tried to pass it off like I was sending it over to get it paid. It was a real company with a believable amount. So these emails are no longer using the red flag $1 million amount like in the Nigerian Prince scheme. They are getting good at what they do.鈥
U-M will not reach out to you to give or confirm information. 鈥淚t鈥檚 not how U-M business is conducted,鈥 Lubomirski says. 鈥淎nd if you are being asked for information, remember that a U-M employee isn鈥檛 going to ask you for things that U-M already knows. If we need to confirm your identity, we will not ask you for your password or Duo passcode.鈥
Instead, there鈥檚 a different process in place. 鈥淎nytime we need you to prove who you are, we will send a Duo push to your phone to verify,鈥 Lubomirski explains.
A constant with phishing emails is the urgency of them. There鈥檚 a psychological reason for this, Lubomirski says. 鈥淚f there is an urgency there, we don鈥檛 have the time to think that this might be bad. These messages prey upon our weaknesses as humans.鈥 Phishing requests often include gift card needs from a supervisor or a required immediate payment to keep a service.
Lubomirski says the recent virus-contact phish also used a different motivating factor: fear. 鈥淧eople are still worried, don鈥檛 want to infect others and want information to help us all stay healthy, so they clicked the link quickly,鈥 he says. 鈥淚f that feeling of immediacy wasn鈥檛 there and they checked first, recipients would have noticed that an incorrect title was used and there isn鈥檛 a health center at UM-Dearborn. These emails push us to respond quickly so that we don鈥檛 take time to look over the details,鈥 he says.
So what鈥檚 next? Lubomirski says calls and texts are the next frontier. For example, a text may direct someone to a website or number to call. The website may look legit, but Lubomirski encourages people to do a little digging before giving information or money. 鈥淭hey are setting up websites to make the scams more believable. Your best bet is to end the call if you are on the phone and call the person or company back at a verified number. If it is a text with a link, avoid clicking the link and do your own browser search. If you are unsure of the source, cut off the original communication stream and start a new one. That way you know who you are talking with.鈥
This one might seem painful, but Lubomirski wants to emphasize that there isn鈥檛 a reason to feel shame if you occasionally get caught by a phish: 鈥淚 promise there鈥檚 no ITS naughty list. These people are great at what they do and we know that. And the only way we can protect you and our campus is to know when these things happen. We鈥檒l coach you through it.鈥
Story by Sarah Tuxbury.
