The Internet Crime Complaint Center, known as IC3 has issued an alert warning about a spear phishing scam aimed at university employees around the country. It starts with an email addressed specifically with the name of the intended victim. The email looks official and appears to have been sent by the Human Resources Department of the college or university where the intended victim works. The email informs the potential victim that there has been a change of the employee’s status and that the employee is required to click on a link contained in the email that takes the employee to a website that appears to be that of the Human Resource Department for the college or university where the victim works where the employee is prompted to input information. The website is counterfeit. The scam is a ruse intended to obtain the login information of the potential victim. Once this information is provided to the scammer, he or she then logs on to the real Human Resources Department page and changes the bank account information for where the employee’s check is deposited so that the school sends the victim’s check to a bank account controlled by the identity thief. In addition, since many people use the same user name and password for all of their accounts, the scammers may also attack other accounts of the victim.
Although the IC3 warning deals specifically with university and college employees, this scam works just as well with any company that pays their employees through direct deposit so everyone who is paid through a direct deposit should be aware of this scam. Remember my mantra, “trust me, you can’t trust anyone.” Never click on links in emails unless you are sure they are legitimate. In many instances, by clicking on the link, you are unwittingly downloading malware on to your computer or other electronic device. You also should never provide personal information in a reply to an email. Confirm whether or not the request for personal information is legitimate and even then, go directly to a website for the company or other institution that you know is legitimate to provide such information. Finally, as I have warned you many times, (sorry to be a nag) use a unique password for all of your accounts so that if your password from a particular account is jeopardized, your other accounts are still safe. This is not as difficult as it might seem. In my book “Identity Theft Alert,” I provide instructions as to how to pick easy to remember, strong passwords.