NOTICE: Got a minute? Are you available?

Thursday, March 14, 2019

Beware: U-M executive officers, deans, directors, and others are having their email addresses spoofed!

Have you seen emails with subject lines like "Got a minute?" and "Are you available?" and body text with an urgent request for gift cards, wire transfers, or information about unit staff? People in your units have. Faculty and staff across the university continue to be plagued by scam emails that appear to come from their dean, director, or others in positions of authority asking for help with an urgent request. This particular scam shows no signs of abating.

Some of your colleagues are concerned and unsure what to. Others, in their eagerness to be helpful, have lost money to criminals. Some have attempted to buy gift cards at local stores and been warned by the store's staff of the scam.

Please share information about this scam with those in your unit on a regular basis:

  • Work with leadership. Ask your unit leadership to periodically tell their staff that they will never send them urgent email asking for gift cards, wire transfers, or banking information—and that they will not use personal accounts for university business.
  • Share at meetings. Share this information at faculty and staff meetings in your unit. You can use these "Got a minute" slides.
  • Send email. Copy and paste the information below into an email message and send it to faculty and staff in your unit.
  • Put up posters. Print and post this 8-1/2 by 11-inch poster. A digital sign will be created and posted to this U-M Box folder soon.
    3/19/19 update: Digital signs are now available.

Thank you for all you do to help provide IT security and privacy information to those in your units!

Be Wary of Unusual Email Requests from U-M Leaders

Scammers continue to target faculty and staff with emails that appear to be from their unit or other U-M leadership asking for help with a payment or gifts for an event—and sometimes asking for W-2s or other information about staff. Here are some clues to help you recognize the scam:

  • A sender that appears to be someone you know. Sometimes a clue is that although the name is familiar, the actual address may be a personal GMail, Yahoo, or other account.
  • Subject lines like these:
  • Are you available?
  • Are you there?
  • Got a minute?
  • Urgent request
  • An email interaction over several messages that begins by asking if you can help then goes on to ask for gift cards for an event or payment. The sender will offer to reimburse you when they return to the office. You may be directed to buy the cards, scratch off the material that hides the redeeming code, then send a photo of them to the scammer

See a sample at Phishing Alert: (Subject varies) Hi, I am busy, I need you to purchase gift cards!

What You Can Do

  • Be suspicious of communications with urgent, unfamiliar requests. Review the sending email address closely to see whether it is a U-M address. Check with the apparent sender by phone call, chat, or in-person if you are at all unsure. Or send a separate email to the person's usual email address. Do not reply to the request itself.
  • Ignore requests for payment via gift card. "Anyone who demands payment by gift card is always, always, always a scammer," according to the Federal Trade Commission (FTC). "Gift cards are for gifts, not payments."
  • Verify unusual requests for money (via wire transfer, gift card, or other means), including those from your supervisor or leadership, before acting.
  • Do not open unexpected attachments or shared documents. Scammers frequently send emails that appear to be from someone you know to trick you into an action that will lead to infecting your computer with malware.
  • Check U-M phishing alerts. Samples of phishing and other scam emails reported at U-M are published at Safe Computing: Phishing Alerts. This is not a complete or comprehensive list of emails received, but it can give you an idea of what common malicious emails look like.
  • Report emails impersonating people at U-M by sending them to [email protected]. Include full message headers if possible.
  • Report compromise. If you suspect you fell for a scam or your account was compromised, change your password—your UMICH (Level-1) and/or your Michigan Medicine (Level-2) password. Then report it: Report an IT Security Incident.

How Scammers Get Your Leader's Address and Yours

As a public institution, the university publishes contact information on many college, school, department, and unit websites. Scammers can easily find organizational web pages with contact addresses, publicly-visible email groups that contain names and email addresses, and postings on social networks with names and addresses to use. They then set up  free email accounts using those names and send to the groups they found online.

This is a perennial problem that plagues all sectors, including higher education. Scammers regularly employ these same tactics to impersonate organizations outside the university—such as the IRS—to trick people into sending money or personal information. You should always be cautious when asked to do something unusual or unexpected in email.

What U-M Is Doing

  • Information Assurance (IA) staff routinely report malicious senders to the appropriate service providers (such as Google, Yahoo, and so on). The service providers can then shut down the offending accounts.
  • IA shares and uses threat intelligence from across the Big Ten Academic Alliance to block known malicious websites and addresses.
  • Providers of email used at U-M (Google Mail, Michigan Medicine Exchange) routinely block email from known malicious addresses.
  • IA provides education and awareness materials on Safe Computing, through email, and through other venues to keep the U-M community informed about IT security and privacy topics.