Alerts Newsletter

Scam of the Month: Student-Focused Scams

By

As school begins on campuses nationwide, criminals turn their attention to scams targeting students who are busy preparing for the upcoming semester. Criminals frequently rely on timely topics and strategies to exploit their victims. Below, you will find examples of real scam emails reported to our team within the last month. As we all gear up for this new semester, please be on the lookout for scams like those below.

Student Aid Scam Sample

If you receive an email like the one above, please don’t interact with anything in the email or follow any of the sender’s instructions. Do not “click to download pictures, click on any links in the message, or reply to the email. Be aware that scammers attempt to evade our defenses by changing the domain in the email address. For example, the attackers might change the “105” in their email address to “101” or “102” so that their messages continue getting through our filters. Report any instance of an email like this so we can block as many email addresses as necessary.

Student Job Scam Example

The message above impersonates a Human Resources manager recruiting WashU students for a part-time job. Sometimes, emails like the one below will impersonate actual members of the WashU community or indicate that the opportunity is specific to WashU students.

Example of scam impersonating WashU professor

Please be wary of unsolicited offers containing grammar and punctuation errors. When in doubt, report the message to the Office of Information Security using the Phish Alert Button. We will investigate the message’s legitimacy and notify you of our determination. If you want to investigate the legitimacy of an offer yourself, NEVER use the contact information or instructions provided in the email. Instead, use known and reliable methods (like the WashU directory) to reach out to that person directly.

Avoid this scam and other phishing scams by following our ten phishing safety tips and related guidance below.

10 Phishing Safety Tips

  1. Don’t click. Instead of clicking on any link in a suspicious email, type in the URL, or do a search on wustl.edu for the relevant department or page. Even if a website and/or URL in an email looks real, criminals can mask its true destination.
  2. Be skeptical of urgent requests. Phishing messages often make urgent requests or demands. When you detect a tone of urgency, slow down and verify the authenticity of the sender and the request by using official channels rather than the information provided by the sender.
  3. Watch out for grammar, punctuation, and spelling mistakes. Phishing messages are often poorly written. Common hallmarks of phishing are incorrect spelling, improper punctuation, and poor grammar. If you receive an email with these problems, it may be a phishing attempt. Double-check the email address of the sender, don’t follow any links, and verify the authenticity of the request using official channels.
  4. Keep your information private. Never give out your passwords, credit card information, Social Security number, or other private information through email.
  5. Pick up the phone. If you have any reason to think that a department or organization really needs to hear from you, call them to verify any request for personal or sensitive information. Emails that say “urgent!”, use pressure tactics, or prey on fear are especially suspect. Do an online search for a contact phone number or use the contact number published in the WUSTL directory.
  6. Use secure websites and pay attention to security prompts. Always check if you are on a secure website before giving out private information. You can determine whether a website is secure by looking for the “https:” rather than just “http:” in the Web address bar or for the small lock icon in the Internet browser. If your browser cannot validate the authenticity of the website’s security certificate, you will be prompted. This is frequently a telltale sign of fraud, and it would be a good time to pick up the phone or report a suspicious message.
  7. Keep track of your data. Regularly log onto your online accounts and make sure that all your transactions are legitimate.
  8. Reset any account passwords that may have been compromised.
  9. Know what’s happening. Visit the Office of Information Security Alerts page often and follow us on Twitter to get the latest WashU Information Security Alerts.
  10. Report it. If you are a victim of an email scam, report it to our office by using the Phish Alert Button (PAB). When you report a phishing attack, we will investigate it and, if necessary, remove other instances of the attack from our systems. Reporting the attack will help protect others and our institution.

Additional Resources

Phishing | Office of Information Security | Washington University in St. Louis
Phishing 101 | Office of Information Security | Washington University in St. Louis

Protect Yourself from Social Engineering

Protect Yourself from Social Engineering