Based upon a recent analysis of over 500 reports of fraud schemes targeting universities or their students, the Federal Bureau of Investigation’s Cyber Division issued a public service announcement identifying common scams and providing guidance on how to avoid them. Financial losses to higher education institutions have approached one million dollars in some recent incidents, and students often fall prey to schemes sustaining losses of several thousand dollars.
Vendor bank account scams
Universities engage in large construction projects that require the regular transfer of electronic payments totaling six or seven figures in dollars. Scammers can identify relatively easily when there is ongoing construction on campuses and engage in social engineering and e-mail spoofing to commit fraud. Scammers pose as an established vendor on the project and direct e-mails to the university’s accounting office with bank account changes for future payments. The scammers often spoof the actual e-mail address of the vendor company. Once a university sends the payment to the scammers bank account, the money is often long gone and unrecoverable by the time that the fraud is detected.
Universities should always take careful steps to verify the accuracy of any vendor e-mail purporting to direct account instructions and changes. Common sense, but often overlooked steps, such as a simple verification phone call to the vendor can easily expose the scam. Also, the recipients should carefully examine the e-mail address of the sent e-mail to confirm that it matches the vendor’s domain, but this step alone may not be sufficient to uncover more sophisticated e-mail spoofing.
Fake “education tax” scam
Scammers contact by telephone college students, who are facing academic pressures and likely tight financial budgets, purporting that the call is from the IRS or FBI. The caller ID may be spoofed and displays the local governmental field office number. The scammer warns the student that he or she must pay immediately a fake “education tax” and will request payment via a gift card of a retail chain store or tax preparation company. Once the student purchases the gift card in the instructed amount, the scammer requests the account number, tells the student that the money is insufficient and demands more gift card purchases.
Students should be aware that the IRS and FBI will not contact an individual by telephone regarding owed taxes. The simplest solution to such scams is to hang up on the caller purporting to be from either the IRS or FBI.
Phishing for W-2s
Universities have been primary targets of ongoing phishing schemes directed to payroll and human resource departments. The scams often emerge around the end of January, just as universities are returning from the holiday break and starting their spring semesters. Scammers pose as high level executives (such as the university president, CFO or treasurer) when requesting W-2 information from payroll employees. There are varying levels of sophistication in the e-mail spoofing. For example, if the real domain is ABCUniversity.edu, the scammer might use the fake domain name ABCUniversity.com.
Again, diligence is vital to examine e-mails requesting such information. Contacting the office of the requesting administrator is the simplest step to confirm the legitimacy of the request. Also, the individual’s official title could be closely but incorrectly stated or out of date. Also, the recipient should look to the “reply to” section of the e-mail headers to confirm that it matches the sender’s e-mail.
Phishing scheme involving payroll fraud
This sophisticated scam occurs when the scammer obtains access to the payroll system and alters direct deposit information. The scammer purports to be a university executive and sends a spoofing e-mail with a PDF attachment. Upon opening the PDF, the user is prompted to enter log-in credentials. The scammer uses the credentials to log into the payroll system and changes the employee’s deposit information to have payments sent to a “Green Dot” pre-paid credit card. The scammer creates rules in the employee’s e-mail account that forward e-mails containing words such as “phishing, direct deposit, payroll, etc.” to the deleted folder to avoid detection of the criminal activity.
The simplest solution is to avoid clicking on any attachments or links from unknown individuals or in suspicious e-mails. Also, the user should not enter log-in credentials if he or she has opened the attachment or link. Again, confirmation of the “reply to” section of the e-mail header is another protective measure.
Prevention and reporting
Universities should have policies and trainings to verify the legitimacy of e-mails alerting payments to vendors and requesting the disclosure of payroll and financial information. Students should be notified to be aware of commonly used schemes to target young adults who are often managing their expenses independently for the first time. Suspicious activity should be reported to appropriate university personnel and to the FBI’s Crime Complaint Center at www.IC3.gov.