Beware of email scams impersonating U-M leaders

This information was sent via email to U-M deans, directors, and department heads (the "3-D" list) on April 4, 2019.

Hello deans, directors, and department heads,

Please encourage your staff to verify any unusual requests for gift cards, wire transfers, and personal information before acting on them.

Criminals and scam artists continue to be creative in how they seek to gain access to data and funds. Increasingly, they are preying on well-intentioned individuals who only seek to be helpful. Staff across U-M, in their eagerness to help, may fall for a scam in which fraudsters impersonate U-M leaders, faculty, researchers, and others.

While we cannot entirely stop scammers from forging the From information in emails, we can educate the U-M community about Scams & Fraud and Phishing & Suspicious Email. Please help us with this by making sure your staff members know you will never ask them to run out and get you gift cards on a moment's notice, and to be very wary when they receive email with your name on the From line paired with an address that does not end in @umich.edu.

Below is information you can share in your unit about this scam. This information has already been shared with your unit's Security Unit Liaison (SUL) through this Information Assurance Notice: Got a  minute? Are you available?

Thank you for your help,

Ravi Pendse, Ph.D.
Vice President for Information Technology and Chief Information Officer
University of Michigan

Sol Bermann
Interim Chief Information Security Officer and Chief Privacy Officer
University of Michigan

About the Scam

Scammers continue to target faculty and staff with emails that appear to be from their unit or other U-M leadership asking for help with a payment or gifts for an event—and sometimes asking for W-2s or other information or for a direct deposit change. Here are some clues to help you recognize the scam:

  • A sender that appears to be someone you know. Sometimes a clue is that although the name is familiar, the actual address may be a personal GMail, Yahoo, or other account. Sometimes the From information is forged and shows a U-M address.
  • Subject lines like these:
    • Are you available?
    • Are you there?
    • Got a minute?
    • Urgent request
  • An email interaction over several messages that begins by asking if you can help then goes on to ask for gift cards for an event or payment. The sender will offer to reimburse you when they return to the office. You may be directed to buy the cards, scratch off the material that hides the redeeming code, then send a photo of them to the scammer

See a sample at Phishing Alert: (Subject varies) Hi, I am busy, I need you to purchase gift cards!

This is a perennial problem that plagues all sectors, including higher education. Scammers regularly employ these same tactics to impersonate organizations outside the university—such as the IRS—to trick people into sending money or personal information. You should always be cautious when asked to do something unusual or unexpected in email.

What You Can Do

  • Be suspicious of communications with urgent, unfamiliar requests. Review the sending email address closely to see whether it is a U-M address. Check with the apparent sender by phone call, chat, or in-person if you are at all unsure. Or send a separate email to the person's usual email address. Do not reply to the request itself.
  • Ignore requests for payment via gift card. "Anyone who demands payment by gift card is always, always, always a scammer," according to the Federal Trade Commission (FTC). "Gift cards are for gifts, not payments."
  • Verify unusual requests for money (via wire transfer, gift card, or other means), including those from your supervisor or leadership, before acting.
  • Do not open unexpected attachments or shared documents. Scammers frequently send emails that appear to be from someone you know to trick you into an action that will lead to infecting your computer with malware.
  • Check U-M phishing alerts. Samples of phishing and other scam emails reported at U-M are published at Safe Computing: Phishing Alerts. This is not a complete or comprehensive list of emails received, but it can give you an idea of what common malicious emails look like.
  • Report emails impersonating people at U-M by sending them to reportphish@umich.edu. Include full message headers if possible.
  • Report compromise. If you suspect you fell for a scam or your account was compromised, change your password—your UMICH (Level-1) and/or your Michigan Medicine (Level-2) password. Then report it: Report an IT Security Incident.

How Scammers Get U-M Addresses

As a public institution, the university publishes contact information on many college, school, department, and unit websites. Scammers can easily find organizational web pages with contact addresses, publicly-visible email groups that contain names and email addresses, and postings on social networks with names and addresses to use. They then set up  free email accounts using those names and send to the groups they found online.

What U-M Is Doing

  • Information Assurance (IA) staff routinely report malicious senders to the appropriate service providers (such as Google, Yahoo, and so on). The service providers can then shut down the offending accounts.
  • IA shares and uses threat intelligence from across the Big Ten Academic Alliance to block known malicious websites and addresses.
  • Providers of email used at U-M (Google Mail, Michigan Medicine Exchange) routinely block email from known malicious addresses.
  • IA provides education and awareness materials on Safe Computing, through email, and through other venues to keep the U-M community informed about IT security and privacy topics.

References

Date Sent: 
Thursday, April 4, 2019