Some students have been receiving messages like the one below through their Cal Poly emails:
To whom it may concern,
I contacted your school admin at Cal Poly; I graduated from there. I explained that I was looking for an Administrative/Personal Assistant and your email was sent to me, they said you were an honest person… the position is extremely rewarding. Get back to me with your phone number ASAP if you are interested in more information.
Regards,
Colton
It may look innocent on the surface, but these scams, known as phishing emails, are used by criminals to steal information and trick victims into purchasing specific items.
According to a report from the FBI’s Internet Crime Complaint Center, individuals in the United States lost roughly $30 million to phishing schemes in 2017.
Approximately 3.4 billion scam emails are sent around the world daily, according to Valimail’s Spring 2019 Email Fraud Landscape, and the Cal Poly community is no exception to the issue.
Cal Poly Chief Information Officer Bill Britton estimates the last year brought about a 700 percent increase in phishing attacks on the community.
Britton is responsible for managing Cal Poly’s information technology. He said the spike could be a result of students directing their school emails to external servers.
“If a bad email goes out to your Cal Poly account, we literally go in and scrape it and put up a block,” Britton said.
The Information Security department uses this process to stop hackers from accessing information, but it is useless when students direct their messages to Gmail or Yahoo.
“Once you send it to your outside account, we can’t touch it. It’s live now in your environment,” Britton said.
According to Cal Poly Information Security Officer (ISO) Doug Lomsdalen, there are several specific “contexts” in which phishing emails come about on campus that the community should be aware of.
Impersonation Scams
Impersonation emails are among the most common, especially for Cal Poly faculty.
According to Lomsdalen, these emails will often appear to be sent by someone of authority. The hackers may impersonate a superior, like a boss or professor, and claim to be in dire need of assistance with a purchase.
“I’ve seen individuals and victims of these go so far as to purchase gift cards,” Lomsdalen said. “I get one or two of these [scams] a week … where they’ll say they’re running into a meeting and need you to get them some gift cards immediately.”
To avoid falling victim to these, Lomsdalen said, it is best to take some extra time and look closely at the sender email.
For example, assume an individual receives a scam email that appears to be from their boss. The name will appear in the inbox and look completely normal, which is why further inspection is necessary. More often than not, according to Lomsdalen, the full email address will look something along the lines of “johnsmith.calpoly.edu@gmail.com”.
Sender verification is necessary when dealing with messaging of this nature, Lomsdalen said, and should be practiced diligently by all members of the community to prevent being attacked.
Job Offer Scams
According to Lomsdalen, Cal Poly students are commonly affected by email scams in the form of faux job offers.
The unsolicited offers will often directly reference Cal Poly, and claim someone in the university has given a strong job recommendation.
“Do not respond to these emails,” Lomsdalen said. “I’ve seen students cashing checks because these schemes ask them to deposit and transfer the money to a specific account. By the time the banks catch up, [the student is] out $500.”
To prevent falling victim to a job scam, Lomsdalen said he advises that students only use MustangJobs or Handshake, as the school will rarely send out unsolicited offers.
Cal Poly Account Authentication Scam
Additionally, scam requests for fake Cal Poly account authentication are reported frequently.
According to Lomsdalen, students could get an email from someone posing as administration. The message will often claim that the student’s account needs to be authenticated through a specific link, and that failure to do so will result in deactivation.
The Cal Poly Information Security (IS) website warns that cooperating with these scams opens the door to more issues. Once a student’s account is compromised, the email address is used by the scammer to “phish” other Cal Poly emails, and the cycle continues.
The ambiguity of these attacks and threats can be overwhelming. However, an understanding of their structure and the precautions necessary to prevent them can minimize the damage.
“I think right now we emit a lot of digital dust, and that dust is not being filtered,” California Cybersecurity Institute technical advisor Henry Danielson said.
Danielson said students should pay attention to the amount of information they put out on the internet.
He said changing passwords and practicing general precaution — especially on accounts associated with Cal Poly or banking applications, like Venmo — are key to avoiding the loss of information and maintaining personal security.