ADVISORY: Uptick in phishing email impersonating U-M employees

Tuesday, February 5, 2019

The information below was sent to the IT Security Community and Frontline Notify groups via email on February 5, 2019. Members of those groups were asked to share this information with those in their units as appropriate.

Information Assurance is seeing an uptick in fraudulent emails that appear to come from U-M employees or offices. This is a practice known as “spoofing.” Different versions of these emails ask the recipient to:

  • Quickly arrange for gift cards to cover a university expense
  • Make an immediate wire transfer to an unfamiliar account
  • Pay an online invoice

Sometimes the From address shows the name of a U-M manager, department chair, or dean, along with an unfamiliar address. Sometimes the address itself is forged and looks like a real U-M address. The Subject may be a generic request for help (for example, "Are you there?" "Urgent request") or an invoice number. In all cases, the intent is to make it appear that someone at the university in a position of authority is directing you to complete a university task. By responding, you risk theft, malware, and account compromise.

How Do Scammers Get U-M Names?

As a public institution, the university publishes contact information on many college, school, department, and unit websites. Scammers can easily find organizational web pages with contact addresses, publicly-visible email groups that contain names and email addresses, and postings on social networks with names and addresses to use. They then set up  free email accounts using those names and send to the groups they found online.

What You Can Do

  • Be suspicious of communications with urgent, unfamiliar requests. Review the sending email address closely to see whether it is a U-M address. Check with the apparent sender by phone call, chat, or in-person if you are at all unsure. Or send a separate email to the person's usual email address. Do not reply to the request itself.
  • Ignore any request for payment via gift card. "Anyone who demands payment by gift card is always, always, always a scammer," according to the Federal Trade Commission (FTC). "Gift cards are for gifts, not payments."
  • Verify unusual requests for money (via wire transfer, gift card, or other means) from your supervisor or leadership before acting.
  • Don't open unexpected attachments or shared documents. Scammers frequently send emails that appear to be from someone you know to trick you into an action that will lead to infecting your computer with malware.
  • Check U-M phishing alerts. Samples of phishing and other malicious emails reported at U-M are published at Safe Computing: Phishing Alerts. This is not a complete or comprehensive list of emails received, but it can give you an idea of what common malicious emails look like.
  • Report emails impersonating people at U-M by sending them to [email protected]. Include full message headers if possible.
  • Report compromise. If you suspect you fell for a scam or your account was compromised, change your password—your UMICH (Level-1) and/or your Michigan Medicine (Level-2) password. Then report it: Report an IT Security Incident.

What U-M Is Doing

  • Information Assurance (IA) staff routinely report malicious senders to the appropriate service providers (such as Google, Yahoo, and so on). The service providers can then shut down the offending accounts.
  • IA shares and uses threat intelligence from across the Big Ten Academic Alliance to block known malicious websites and addresses.
  • Providers of email used at U-M (Google Mail, Michigan Medicine Exchange) routinely block email from known malicious addresses.

This is a perennial problem that plagues all sectors, including higher education. Scammers regularly employ these same tactics to impersonate organizations outside the university—such as the IRS—to trick people into sending money or personal information. You should always be cautious when asked to do something unusual or unexpected in email.

Information Assurance