Back in his federal law enforcement days, WUSM’s Assistant Director of Investigations and Crime Prevention, Steve Manley, came upon an advance fee scam. An informant who operated a corner store in East St. Louis called him one afternoon. He told Manley a customer was sending large sums of money to Nigeria via Western Union. The caller offered to stall the customer, and Manley rushed over. Upon arrival, he found an elderly, deaf woman. Manley asked why she was wiring money to Nigeria. Before answering, she presented a business card bearing the Illinois statute that guarantees deaf people the services of an interpreter when interviewed by law enforcement. After some phone calls, a deaf interpreter came to the scene.
Through the interpreter, the woman explained that she received an email saying that she won the “Deaf Lottery.” Thrilled, she replied to the email to collect her prize. Before she could collect her fortune, the crooks needed her to pay various fees upfront. She paid them, but they kept demanding more.
She went to the local police. They told her to stop paying because she was being defrauded. By that time, she had paid thousands of dollars to the “Deaf Lottery.”
Weeks later, she received an email from the “FBI.” They said they apprehended the scammers who defrauded her, and she was the only victim they could identify. As such, she was entitled to the approximate $600,000 they allegedly recovered from the scheme. Elated, the woman agreed to the offer. As before, the so-called agents needed her to pay advance fees before she could collect the money. So now she started paying the “FBI.” After a while, she wondered if she might be getting scammed again. She stopped paying, but the scammers immediately threatened her. According to them, backing out of the agreement represented fraud against the government. Scared of prison, she was at the corner store that day to make one of many payments to the supposed FBI office in Nigeria.
During her conversation with Manley, the fake agents bombarded her with messages demanding the next payment, threatening to come to her home and lock her up the following day. Manley finally convinced her to reply, “Okay, I’ll be waiting for you. What should I wear?”
They went silent.
Manley received an email from her weeks later. She said the “good folks from the Deaf Lottery” contacted her again. They were still holding her winnings. All she had to do was pay some more fees…
Between the two schemes, she lost about $27,000.
10 Phishing Safety Tips
- Don’t click. Instead of clicking on any link in a suspicious email, type in the URL or search wustl.edu for the relevant department or page. Even if a website and/or URL in an email looks real, criminals can mask its true destination.
- Be skeptical of urgent requests. Phishing messages often make urgent requests or demands. When you detect a tone of urgency, slow down and verify the authenticity of the sender and the request by using official channels rather than the information provided by the sender.
- Watch out for grammar, punctuation, and spelling mistakes. Phishing messages are often poorly written. Common hallmarks of phishing are incorrect spelling, improper punctuation, and poor grammar. If you receive an email with these problems, it may be a phishing attempt. Double-check the email address of the sender, don’t follow any links, and verify the authenticity of the request using official channels.
- Keep your information private. Never give out your passwords, credit card information, Social Security number, or other private information through email.
- Pick up the phone. If you have any reason to think that a department or organization really needs to hear from you, call them to verify any request for personal or sensitive information. Emails that say “urgent!”, use pressure tactics, or prey on fear are especially suspect. Do an online search for a contact phone number or use the contact number published in the Workday Directory.
- Use secure websites and pay attention to security prompts. Always check if you are on a secure website before giving out private information. You can determine whether a website is secure by looking for the “https:” rather than just “http:” in the Web address bar or for the small lock icon in the Internet browser. If your browser cannot validate the authenticity of the website’s security certificate, you will be prompted. This is frequently a telltale sign of fraud, and it would be a good time to pick up the phone or report a suspicious message.
- Keep track of your data. Regularly log onto your online accounts and make sure that all your transactions are legitimate.
- Reset any account passwords that may have been compromised.
- Know what’s happening. Visit the Office of Information Security Alerts page often.
- Report it. If you are a victim of an email scam, report it to our office by using the Phish Alert Button (PAB). When you report a phishing attack, we will investigate it and, if necessary, remove other instances of the attack from our systems. Reporting the attack will help protect others and our institution.
What To Do if You’re a Victim
Report vishing attempts to InfoSec@wustl.edu so our office can review the activity.