Imagine receiving an email from a professor or a colleague asking if you are interested in a job or an internship, perhaps right at the time when job-search stress is setting in.
Now imagine you are the professor named in the email and you receive an email or call from a student about a job you never offered, a job that likely does not exist at all.
Suddenly you both realize you are victims of a complex scam known as a Job Offer Scam.
This is a very real scenario playing out at academic institutions across the country, including U-M. Through social engineering and email sleight of hand, scammers steal data, and sometimes money, from individuals and create tremendous headaches for companies and organizations.
To defeat them, it’s important to understand the three key aspects of these schemes.
Employing social engineering
Social engineering uses old-fashioned confidence tricks with a digital twist. The scammer uses widely available public information to craft convincing messages offering easy rewards. They will:
- Impersonate real members of the institution, such as professors and administrators.
- Target other members of the same institution, such as students and staff.
- Offer something people want in return for little effort, such as an easy job with vague requirements.
- Craft repeat messages to gather information and build false trust.
Hiding scammer identity
To further the illusion when impersonating a sender, the scammer will use email tricks to hide who they are, including:
- Creating email accounts that mimic or appear similar to real ones.
- Spoof names and addresses.
- Use a “reply-to” address that goes to the scammer’s account instead of the real one.
- Ask for replies to a “personal number” such as a cell phone.
Abusing banking processes
Watch out for scams that are trying to get you to send money. One of the most common is the request to purchase gift cards or prepaid credit cards.
A more complicated method is for the scammer to send a check or e-check to the target, ask them to cash it, and then return part of the money, or use the money to buy and send gift cards or prepaid credit cards. Such check overpayment scams take advantage of a bank crediting the victim for the deposit, making it look like they received the funds. When the bank finds out the check was fake, the victim is left with the bill for the amount that was spent.
Here are some ways people can defeat social engineering tricks and expose complex scams:
Ask smart, simple questions. Is it likely someone would offer you a job without you applying for it? Would that professor or administrator normally contact you directly? Is the thing being offered just a little too easy or convenient? As in most things in life, if the offer sounds too good to be true, it likely is.
Check the sender’s email address. Try hovering over email addresses or sender names to spot ones that are close but not exact matches. Look at the reply-to address to see if it’s different from the sender address. The sender’s name and address can be faked, but the scammer will have to use another address to get a reply.
Verify the sender’s identity. The final word on defeating these scams is to always verify that senders are who they say they are and can offer what they claim to offer. At U-M, that means looking up the sender in MCommunity and then emailing or calling that person without replying to the suspicious message. A little up-front effort could save you from falling for a scam, help alert the impersonated party of trouble, and protect you and the university.
Phishing attempts and other email abuse at U-M can be reported to ITS Information Assurance. IA actively monitors the U-M environment and publishes phishing alerts that are active in our community.
Information and Technology Services, in partnership with the Division of Public Safety and Security, has been working to spread the word about this scam through web content, emails to faculty, staff and students, and announcements on Canvas, Wolverine Access, and the Michigan app. They ask that others share it as well.