NOTICE: Scammers impersonating U-M executives
2/5/19 update: Although this notice focused on some particular emails that impersonated a specific person, scammers have impersonated many members of the university community, including managers, supervisors, deans, department chairs, and more.
10/15/18: The information below was sent via email to the IT Security Community and Frontline Notify (FLN) groups on October 15, 2018.
We have received reports in recent days of criminals sending email that appears to come from President Mark Schlissel asking U-M staff members if they are available. If the staff member responds, the scammer may follow-up, continuing to pose as President Schlissel, asking them to purchase gift cards on his behalf and send him the card redemption numbers. This is a variation on an old scam, and we are providing these reminders to members of the U-M community:
- Be suspicious of communications with urgent requests from executives. Review the sending email address closely to see whether it is a U-M address. Check with the apparent sender by phone call, chat, or in-person if you are at all unsure. Or send a separate email to the person's usual email address. Do not reply to the request itself.
- Ignore any request for payment via gift card. "Anyone who demands payment by gift card is always, always, always a scammer," according to the Federal Trade Commission (FTC). "Gift cards are for gifts, not payments,"
- Verify unusual requests for money (via wire transfer, gift card, or other means) from your supervisor or leadership before acting.
- Report emails impersonating people at U-M by sending them to firstname.lastname@example.org. Include full message headers if possible. Information Assurance staff routinely report malicious senders to the appropriate service providers.
In some versions of this scam, criminals send email purporting to be from executives asking for bank account numbers and/or requesting wire transfers. The version we are now seeing at U-M has these new characteristics:
- The request is for gift cards, frequently iTunes gift cards.
- The scammers begin with what is called a "feeler" message. It may simply ask, "Are you available?" If the staff member responds, a follow-up email makes an urgent request for immediate money for an important task.
The sending email address for these fraudulent emails is often a variation on the person's name, perhaps with a number added, from a personal GMail, Yahoo, or other freely available account. Sometimes it is from a forged U-M address.
Those who report to executives or work in financial or human resources departments are frequent targets. Criminals search online for org charts, contact information on websites, social media posts, and other published information to identify leaders and their staff to target. Such information is widely available for public universities such as the University of Michigan.
Please provide this reminder to any of your colleagues who may find it helpful. Below are some resources with examples of typical scam messages and additional detail.
- Asked to pay by gift card? Don’t. (FTC, 5/31/18)
- SCAM OF THE WEEK: "The Boss Needs iTunes Gift Cards For Customers... NOW" (KnowBe4 Security Awareness Training Blog, 9/12/18)
- CEO Fraud (KnowBe4)
- Scam victims pay 'back taxes' with iTunes gift cards (CNBC, 3/5/18)
- Business E-Mail Compromise: Cyber-Enabled Financial Fraud on the Rise Globally (FBI, 2/27/17)
- Beware: If you get an email like this from your boss, it might not be legit (CNBC, 8/1/16)
- IA Advisory: Phishing emails targeting university financial information via fraudulent wire transfer requests (Safe Computing, 3/3/15)