Recently, the Division of Information Technology(DoIT) received multiple reports of job phishing emails from a Gmail account. The phishers are pretending to offer a research assistant  job. Below is an example of the email. For privacy purposes, we removed the To field.

THIS JOB OFFER IS NOT REAL! 

• The From header says it is from Michael J. Tagler with the email address of jasonharvey001@gmail.com.  This is not impossible, but it is odd.

• The signature block at the end says the message is from Prof. Hennigan in Chemical Engineering.  Why would a professor of Chemical Engineering be advertising for a research assistant in economics?

• Why would a Prof. Hennigan be using an account named “Michael J. Tagler” with the email address of jasonharvey001@gmail.com?

• Why would Prof. Hennigan’s office number 

• be a non-UMBC phone number?

• have an area code for the San Antonio area of Texas?

• If you look up Christopher Hennigan at https://my.umbc.edu, you will find that his office is in ENG321, not TRC253

• Campus job offers are posted at https://careers.umbc.edu/handshake, not broadcast in email messages.

If you respond to this message, they will likely send you a check to deposit. DO NOT DEPOSIT THE CHECK! If you have shared any banking information, CONTACT YOUR BACK IMMEDIATELY!

If you have received any message similar to the one listed above, please forward it with its headers tosecurity@umbc.edu. For instructions, visit https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970.

If you need further assistance, please contact us at security@umbc.edu.

__________________________________________________________

Receive any suspicious emails?

Forward it to security@umbc.edu along with the email headers. For instructions, visit https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970.

Follow us on myUMBC:https://my3.my.umbc.edu/groups/itsecurity.

THIS JOB OFFER IS NOT REAL! 

• Positions at UMBC are advertised at https://careers.umbc.edu/handshake/.  They are not dispersed to all available email addresses.

• Why would email from Prof. Adler have a From address of: Larry Grace <lg384399@gmail.com>?

• Why not use the phone instead of Google Chat?

• Even if Prof. Adler wanted to use Google Chat,she must already have your UMBC address in Google Mail.  She doesn’t need to ask for another one.

If you respond to this message, they will likely send you a check to deposit. DO NOT DEPOSIT THE CHECK! If you have shared any banking information, CONTACT YOUR BACK IMMEDIATELY!

If you have received any message similar to the one listed above, please forward it with its headers tosecurity@umbc.edu. For instructions, visit https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970.

If you need further assistance, please contact us at security@umbc.edu.

__________________________________________________________

Receive any suspicious emails?

Forward it to security@umbc.edu along with the email headers. For instructions, visit https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970.

Follow us on myUMBC:https://my3.my.umbc.edu/groups/itsecurity.

Recently, the Division of Information Technology(DoIT) received a report of job phishing emails from a Gmail account (nikkijoy39@gmail.com) . The phishers are pretending to offer a job as a Research Assistant. Below is an example of the email. For privacy purposes, we removed the To field.

THIS JOB OFFER IS NOT REAL! 

Red Flags

• No legitimate job offer will ask you to reply by text message.  This is intended to make the communication harder to detect and to document.

• An office phone in UMBC’s Technology Resource Center will not have a 210 area code (San Antonio, Texas).

• Campus job offers are supposed to get posted at Handshake (https://careers.umbc.edu/handshake/), not sent out as spam to various addresses.

• Look at the contact at the end of the message. Prof. Hennigan is listed as a member of the Chemical Engineering department. He is unlikely to be looking for a research assistant for the Department of Economics.
  

If you respond to this message, they may send you a check to deposit. DO NOT DEPOSIT THE CHECK! If you have shared any banking information, CONTACT YOUR BACK IMMEDIATELY!

If you have received any message similar to the one listed above, please forward it with its headers tosecurity@umbc.edu. For instructions, visit https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970.

If you need further assistance, please contact us at security@umbc.edu.

__________________________________________________________

Receive any suspicious emails?

Forward it to security@umbc.edu along with the email headers. For instructions, visit https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970.

Follow us on myUMBC:https://my3.my.umbc.edu/groups/itsecurity.

Recently, the Division of Information Technology(DoIT) received reports of a phishing email. The scammers sending these emails are using a forged From address of:

'Admin Server <security@umbc.edu>'.

Below is an example of such an email. For privacy reasons, we removed the recipient’s information..

Please confirm your email account with umbc.edu    

@umbc.edu 

Attention:  

Due to the latest regulations concerning online safety and KYC 

procedure ( Know your Customer ), we are sending this urgent notice to all 

Email Administrator users, in order to filter real and active accounts. 

In order to avoid your @umbc.edu address from being shut down, 

please confirm you are still using your account now: 

Confirm email account 

By logging in, you are confirming that you are still using our services and that the person registered is the person using them.

Here is a screenshot of the same message:

Please note that the Division of Information Technology did not send this email. Visible red flags in this email:

1. The wording.  The message is being sent to ‘Email Administrator Users’.  That does not really make sense.  There is such a thing as an Email Administrator (UMBC has several of them) and such a thing as an Email User (UMBC has a lot of these), but no  ‘Email Administrator Users’.

2. The link.  If you move your mouse over the button that says ‘Confirm email account’ without clicking, and look at the bottom left of your email window, you will see a link to ‘https://ipfs.fleek.co/ipfs/QmVTaVBV6f4fVDqvviHL8CBuqpX5ZJX37YVwdNWxC5FDBG/index0000.html#@umbc.edu’.  Use this ‘mouse hover and peek trick before clicking on anything.  This link goes to a website at ipfs.fleek.co.  That .co at the end is not the same as a .com.  Two-letter endings are generally codes for specific countries (https://en.wikipedia.org/wiki/Country_code_top-level_domain)  The country code ‘.co’ is assigned to Columbia.  If you can’t think of a good reason for UMBC’s DoIT to refer you to a server registered out of Columbia to ‘confirm’ your email account,  BE SUSPICIOUS!

When you become suspicious, send an email to security@umbc.edu.  (Don’t worry, when you send it, it will go to the real UMBC IT security group!) or call the Technology Support Center at 410-455-3838.  DO NOT CLICK ON THE LINK!

For more information about phishing, visit:https://itsecurity.umbc.edu/critical/?id=98136.

If you have received any message similar to the one listed above, please forward it with its headers to security@umbc.edu. For instructions, visit: https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970.

______________________________________________________________________________

Receive any suspicious emails?

Forward it to security@umbc.edu along with the email headers. For instructions, visit: https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970.

Follow us on myUMBC:https://my3.my.umbc.edu/groups/itsecurity.

The site is: umbc. edu. sunward-travel. com  (Spaces are inserted here in the site’s address to ensure that it will not show up as a link in your browser.)

The site’s SSL certificate, the thing responsible for the lock icon in your browser’s navigation bar, is valid through this summer until Sep 13, 2022. The time span suggests that it could be used for phishing attacks towards the end of the summer when people often take vacations, or during the start of classes when people are getting lots of email as the academic schedules get sorted out.  

The site name contains the text ‘umbc.edu’, though not as part of the UMBC domain.  If someone receives an email referencing this site, a quick glance can pick up on the ‘umbc’ and make the site seem legitimate.  It is not a UMBC site!

If you receive a message with a link to this site, please forward it to security@umbc.edu. 

DO NOT CLICK ON IT!

References:

Understanding Padlocks on Browsers

https://medium.com/xebia-engineering/understanding-padlocks-on-browsers-ba411e5b826

HTTPS and the Lock Icon

https://crypto.stanford.edu/cs142/lectures/24-https.pdf

From: CAMPUS JOBS <roger.nicholson911@gmail.com>

Date: Wed, Jul 20, 2022 at 5:05 PM

Subject: JOB OFFER

To:

The service of a student administrative assistant is urgently required to work part-time and get paid $315 weekly. Tasks will be carried out remotely and work time is 14 hours per week.

If interested, submit your updated resume, a google hangouts email address, and a functional whatsapp number to our Department of Biological Sciences via this email address to proceed.

Sincerely

Kathleen Hoffman, Ph.D.

Affiliate Professor, Biological Sciences

Professor, Mathematics and Statistics

Department of Biological Science

Office: MP434    

Please note that neither the Biological Sciences Department nor Professor Hoffman sent this message. Three visible red flags in this email are:

1. The From address is not a UMBC email address. If the Biological Sciences Department or Prof. Hoffman were sending this email, the From address would have been a UMBC email address. However, it was sent from <roger.nicholson911@gmail.com>, which is not a UMBC affiliate. Also, “roger.nicholson” is not the same as “Kathleen Hoffman”.  Please note that the From address can be spoofed, even if it appears to originate from a UMBC email. Therefore, always check with DoIT (security@umbc.edu) or email/contact the impersonated person on a completely different email when you see a conflict in the address.  For reference, use UMBC’s online directory at https://www2.umbc.edu/search/directory/advanced/

2. Whatsapp number.  A lot of scammers will ask for your WhatsApp number. If their number gets reported, they can easily get a new one. The same can be said for an email address; however, if their email is blocked, they will lose responses from other phishing email recipients. If you ever receive a job offer asking for a WhatsApp number or a phone number in general,  BE SUSPICIOUS!

3. The email template. This template is very common. After a quick Google search, we found a few Job scams articles with the same template. So if you are ever in doubt, Google it! Just copy-and-paste several sentences of the text into Google.  UMBC will not use a known phishing template to offer you a job opportunity.

For more information about phishing, visit:https://itsecurity.umbc.edu/critical/?id=98136.

If you have received any message similar to the one listed above, please forward it with its headers tosecurity@umbc.edu. For instructions, visit: https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970.

______________________________________________________________________________________________________________________________________

Receive any suspicious emails?

Forward it to security@umbc.edu along with the email headers. For instructions, visit: https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970.

Follow us on myUMBC:https://my3.my.umbc.edu/groups/itsecurity.

Recently, the Division of Information Technology(DoIT) has seen an increase in phishing attacks where items(docs, pdf, spreadsheets) are shared with the UMBC community. An example of such messages can be found below. For privacy purposes, the To field was removed.

From: Christine Bourne (via Google Drive) <drive-shares-dm-noreply@google.com>

Date: Tue, Jul 19, 2022 at 6:39 PM

Subject: Item shared with you: "2022resource.pdf"

To: 

Christine Bourne shared an item Christine Bourne (bournec@mpsct.org) has shared the following item: 2022resource.pdf

Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

There is no ‘Christine Bourne’ in the UMBC directory (https://www2.umbc.edu/search/directory/advanced/) or otherwise associated with UMBC.  Most individuals who have reported this document do not know the sender. Whenever you receive messages like this, ask yourselves:

1. Was I expecting this document? Before receiving a document, you were most likely notified by the individual sending the document. If you were not expecting it, check with the sender if you know them personally. If you do not know the sender, report it to <security@umbc.edu>.

2. Do I know this email and name? Remember, names can be spoofed, and email addresses too! If you do not recognise the name or email,  forward the message to <security@umbc.edu> immediately. DO NOT OPEN IT!

3. Is there any online information about this account? By doing a quick Google search, we can see that <bournec@mpsct.org> doesn’t belong to Christine Bourne. If you see a discrepancy like this,  forward the message to <security@umbc.edu> immediately,  DO NOT OPEN IT!

These are not novel attacks, below are some examples of previously reported campaigns:

• 145_001.pdf shared by <tmusgrave@slusd.us> 

• NEW COVID-19 PROTOCOLS.docx shared by <helptool05@gmail.com>

• DC.docx shared by <helpd8708@gmail.com>

• Departmental distribution list.docx <ithelpdesko400@gmail.com>

• Departmental distribution list.docx <ithelpdesko4000@gmail.com>

• Departmental distribution list.docx <ithelppdesk007@gmail.com>

If you have any questions, please feel free to contact us at security@umbc.edu.

______________________________________________________________________________________________________________________________________

Receive any suspicious emails?

Forward it to security@umbc.edu along with the email headers. For instructions, visit https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970.

Follow us on myUMBC:https://my3.my.umbc.edu/groups/itsecurity