Be Aware of Cyber Scams

Cybercriminals are targeting students eager for work with fraudulent job offerings that attempt to steal sensitive information or request funds in the form of cash transfers, Bitcoin payments, or gift cards.

Crafty scammers can use sophisticated technology to create realistic communications that can fool you. We understand that identifying the legitimacy of an email can be difficult, especially when scammers can hack or mimic UIC email addresses. However, students can look for these red flags to help determine its validity.

• Too good to be true – The job’s description is usually vague and will offer a large amount of money for very little work.
• Written poorly – The emails are usually full of typos, not written in professional language and use very casual greetings or closing words.
• Ask for sensitive data – Scammers may ask you to purchase something, provide them with sensitive data or personal bank account information through a link, fake webpage, or an online “job” application.
• Request money, gift cards or fund transfers – Scammers will email you a check to print, ask that you deposit it in your bank account, and send funds back via bank transfer, gift cards or Bitcoin. This should be an immediate red flag. The checks are fraudulent and you may be stuck with bank fees and headaches.
• Ask to use another email – You may be asked to contact individuals through a non-university email such as a Hotmail or Gmail address. Scammers are also not available to speak on the phone if you ask to call them.

What to Do

1. Evaluate emails carefully and perform your research.
2. Search for red flags such as typos and being asked to reply to an alternate email address.
3. Do not respond to these emails or engage with the sender.
4. If you are unsure if an email is fraudulent, forward the email to security@uic.edu so it can be investigated and shared with the community.

The Technology Solutions Information Security Office has recently observed cyber security attacks targeting the UIC Community through credentials exposed in password dumps or via phishing.

“Password dumps” refers to a situation where an organization’s site is compromised and cyber attackers publish lists of usernames and passwords online where other attackers can source and use them for additional cyber attacks.

Once attackers have these valid user credentials, they are able to enter them and get past the first line of defense to trigger repeated Duo 2FA (Two-Factor Authentication) prompts (via push notifications, SMS, and phone).

Their goal is to catch someone off guard or annoy them so much with repeated attempts that they hit “accept” to get the activity to stop. When someone accepts the fraudulent Duo 2FA request, they are then granting the attacker access to their account!

Phishing emails are a type of email scam where an attacker impersonates a person, company, brand, organization, or other entity with the goal to get you to click on a link or open a file attachment. These emails can appear authentic and can fool almost anyone.

Links and attachments in phishing emails have one goal: to steal information. Links will take you to a landing page encouraging you to sign in using your login credentials. Opening malicious file attachments can install malware to your computer that is meant to record your keyboard activity and steal data. Common phishing scams include:

• Password Notifications – Emails claiming you requested a password change and to log in immediately to cancel the request.
• Voicemail Messages – Scammers try to trick you into opening an audio attachment or logging into a fake website claiming you have an urgent voicemail.
• Shipping notifications – Be aware of emails impersonating shipping companies with fake delivery notifications or shipping status alerts.
• Receipts & invoices – Scammers posing as popular online retailers, such as Amazon, send emails with a fake receipt or invoice attachment.
• Gift card & prize scams – If you receive an email that you won a gift card, be very careful especially if you do not remember entering a contest. The scammers will state you need to pay a “processing fee” via bank transfer before getting the “prize money” deposited to your bank account.
• Zoom blackmail scam – Technically, this is not a phishing scam but this email scam tries to prey on your fears. With the increased adoption of Zoom in the higher learning industry, this scammer claims they recorded you during a recent Zoom meeting while you were in a compromising or embarrassing situation. The scammers threaten to release the recording unless you make a payment or send money.

What to Do

To prevent falling victim to email scams:

1. Examine your emails very carefully and ensure they are legitimate.
2. Don’t open attachments from suspicious senders.
3. Remain calm and do not click on unknown or unsolicited links, and avoid entering login credentials on unfamiliar pages.
4. If you are unsure if an email is fraudulent, forward the email to security@uic.edu so it can be investigated and shared with the community.

Unfortunately, criminals are posing as charities, companies, banking institutions, healthcare organizations, and even local authorities. Criminals are getting more creative and brazen each day. Be aware of these phone scams:

• Robocalls – Calls from cybercriminals pretending to be government organizations, family members in distress, banks/credit card companies etc. usually with an immediate need or request for money or payment. Robocalls are less easy to detect than they used to be as the caller ID can be adjusted to make it look like the call is coming from your area code, and even real telephone numbers. These scammers can be very aggressive, and state immediate payment is required through bank transfers, gift cards or Bitcoin.
• Text messages – Fake text messages telling the recipient that they’ve performed an online transaction, there is an update on a claim or online order – even messages claiming you’ve come in contact with someone with COVID. These texts require a reply, can contain links to fake pages that solicit sensitive information. If you receive a text like this, do not reply, click on the link or share any sensitive information.
• Charity scams – Charities you don’t recognize may be asking for donations. While it is great to give back, scammers take the opportunity to mask themselves as charitable organizations. Verify all charities on the IRS tax exemption site before donating.

What to do

1. These texts prey on your curiosity or fears so be aware of these scams and remain calm.
2. Look for red flags such as being asked for payment in the form of gift cards or bitcoins, or being pressured to act quickly before “it’s too late”.
3. Never react quickly and do your research.
4. As always, stay alert and use caution to keep your money – and your information – safe.

Receive a suspicious email

• If you receive phishing/scam emails, please forward it to security@uic.edu. The security team can evaluate the email and ascertain if it is malicious.

Provided your password or information

• If you have given or entered your NetID and password or other personal information, please immediately change your password at identity.uillinois.edu and contact security@uic.edu with the details.

Purchased Bitcoin, giftcards or deposited a check 

• If you purchased gift cards, Bitcoin or deposited a fraudulent check, please contact UIC Police for assistance at 312-996-2830 or visit police.uic.edu.

Receive a scam call

• If you receive a scam telephone call, hang up, block the number and call UIC Police to report it at 312-996-2830.

Thank you in advance for your support to deter and prevent cyber attacks. Please email security@uic.edu with any questions or concerns.