Scammers Target Universities with Phishing

Scammers regularly send phishing emails in which they impersonate trusted officials and experts in emails to target faculty, staff, and students at universities—including the University of Michigan. 

Why Scammers Want Your Account

You may not think you have much in your computing account that a criminal could want, but you do. Your U-M account provides access to valuable services and resources. Here are just a few examples:

  • Library access. You have access to licensed journals and other materials that criminals can sell on the black market.
  • A university email account. People tend to trust emails sent from educational institutions with addresses that end in .edu. Criminals can use compromised email accounts to send spam and phishing emails.
  • Your personal information. You can log into Wolverine Access to see and update personal information such as your address, emergency contacts, tax information, and paycheck direct deposit details.
  • Money. Criminals try to trick people into sending money by making the request appear to be for a university financial transaction. Be suspicious of unexpected requests for payment via wire transfer or gift card.
  • Access to online storage and other services. You have access to Google Drive at U-M, Dropbox at U-M, specialized software, and more.
  • Special access. Managers have access to information about the employees who report to them. Researchers have access to cutting-edge research data. System administrators have privileged access to U-M systems.
  • Network access. You have access to on-campus networks and the U-M VPN. This gives you access to resources and services that are limited to those connecting from U-M networks.

Targeted Phishing Emails Based on Public Information

As a public institution, the university publishes contact information on many college, school, department, and unit websites. Scammers:

  1. Find organizational web pages with contact addresses, names, and email addresses, and postings on social media with names and addresses to use.
  2. Set up free email accounts using those names.
  3. Send messages to the groups and individuals they found online. The emails might ask for help making a payment or for information for a report.

For example, a scammer could look online to find out the dean of a particular school at U-M, create a free email account using a version of the dean's name, and then send emails from that account to individual faculty and staff members in that school asking that they arrange for a wire transfer to cover a fake expense.

What You Can Do