Email scams and phishing – how to spot them in your Purdue email and what to do

Phishing emails are often vague, include poor spelling and grammar and contain suspicious links.

As an introduction to cybersecurity lingo, we’re going to look at two types of scams: those that seek credentials and those that seek money. Email and phone scams requesting credentials, such as a username and password or credit card number, are known as phishing and vishing.

Scammers who impersonate someone considered trustworthy or credible, such the IRS, your supervisor or a high-level administrator, are usually hoping that someone will fall for their impersonation and do whatever is requested of them. In some cases, they will ask a recipient to buy gift cards, wire money or cash bad checks. These scams are known as social engineering.

So far, we’ve reviewed three types of scams: phishing, vishing and social engineering.

Let’s look at how those scams play out on Purdue’s campus.

Phishing

Phishing scams that seek your credentials are extremely common. In fact, in 2018, of the 2.3 billion messages sent to purdue.edu email addresses, 1.4 billion messages were found to be malicious and blocked by Purdue’s Cisco spam filter or the Microsoft Office 365 filter.

Phishing scams should be easy to spot, but sometimes we’re tired, overwhelmed by email, or just not paying attention. Giving up your username and password may seem less risky now that BoilerKey two-factor authentication is in place, but it’s a hassle nonetheless to have your password scrambled when your account gets compromised.

Here’s how to spot a phishing email:

  1. Provokes fear or urgency. If the email asks that you act fast to avoid a serious consequence, be suspicious.
  2. Asks you to click. If an email says click on a link, move your mouse to hover over it to see where it actually leads. If you even think there’s a problem, don’t click.
  3. Uses vague language. If the email is addressed to no one or a generic greeting such as “colleagues” and contains few details, it’s likely a scam.

Vishing

Much like phishing, vishing is a scamming technique that’s used over the phone. If you receive a phone call asking for information such as a social security number, credit card information or other sensitive information, be alert and listen to who’s asking. If, for example, the caller says they’re from your bank, hang up and call your bank back directly.

Social Engineering

Social engineering, much like trying to trick someone out of their credentials, can be implemented across mediums. In contrast with phishing and vishing, social engineering scams do not require handing over credentials and instead ask the recipient to hand over cash or a cash substitute, such as a gift card.

At Purdue, a few scams happen over and over. Students, faculty and staff should be knowledgeable about how to spot them.

  • Phone scams: Recently, international students, faculty and staff were receiving calls from “international law enforcement” or an “embassy.” The caller used threats of suspicious financial activity to extort money from them and sometimes threats of the police confiscating their passport.
  • Email scams: This year, we’ve seen two types of email scams: one that asks recipients to buy a gift card for someone impersonating a high-level administrator or supervisor, such as a dean or department head. The second scam starts as phishing and once the scammer has access to a Purdue email account, they send out a mass message with a “job offer.” These emails look legitimate because they either come from a purdue.edu address or look like they are from a personal email address not known to be used for spam. Purdue’s spam filters may not catch these types of messages.

How can you help prevent the spread of spam and scam messages?

  1. Understand what to look for in a malicious message (uses threats or a sense of urgency, asks for credentials, or asks for you to buy something).
  2. Forward the email as an attachment to abuse@purdue.edu.

Last year, 1,711 people reported potential scam emails to abuse@purdue.edu, meaning that some 48,000 faculty, staff and students ignored those messages or fell for them.

Last updated: April 5, 2019