The first email in this phishing scam claims your email account will be terminated if it's not verified. Screenshot provided by Rich Tener.
Dealing with phishing scams is an all-too-common part of the job for information technology services (ITS) staff, but a recent attack on faculty, staff and students was one of the most persistent and disruptive.
Chief information security officer Rich Tener said the multipronged attack occurred in June. Emails sent by scammers warned the recipient -- mostly students -- their email account would be deactivated if it was not verified. Once the scammers gained access to an email account, they used the @iastate.edu address to send additional phishing emails. Finally, the scammers sent another email promising a job with the end goal of the recipient cashing a fake check and using their own money to purchase gift cards sent to the scammer. By the time the bank realizes the check is fake, the money is lost, Tener said.
Anatomy of a scam
Chief information security officer Rich Tener was among the Iowa State faculty, staff and students who received an email, part of a phishing scam during June. See some of the other pieces.
"This scam was a little more devious. They like to have a call to action that makes you feel uncomfortable," he said. "This one was that your account was going to be deleted if you didn't verify it."
From June 12 to 28, 99 ISU student accounts were compromised, but ITS staff was able to protect 50 accounts before they could be used to send additional phishing emails. During this attack, a compromised account sent out an average of 12,734 emails. Tener said ITS is alerted to about 400 potential scam emails a month.
The fake form recipients filled out not only asked for Iowa State email information, but also email information from accounts with different universities. Tener said numerous Des Moines Area Community College emails were likely impacted by the scam.
The scam
The phishing scam began with an email claiming to be from the "IT Helpdesk" asking the recipient to verify their ISU email account and accounts with other universities. It included a link to a web form hosted by a non-ISU website and the individual filled out name, email, password, email and password for other accounts, and phone number.
The scammers tested the password and texted each person directly asking them to verify the account by sending the next security code they received.
"The scammers are sitting at their computer, half logged-in to Okta with the email address, and have the person text them the security code to enter," said Tener, who advised never sending a code to anyone. "Then they are in."
The second half of the scam featured the fake job offer, in which the recipient would be emailed a check they could print off and cash.
"They send you a check for mobile deposit in your bank account and ask the person to screenshot a picture of the deposit," Tener said. "They then assign their first task: Buy gift cards, scratch off the number on the back and send them pictures of those numbers.
"The person thinks they just got paid so they should be able to do this, and the bank finally figures out the check isn't cashing and takes the money back. Anyone who fell for it is out all the cash they spent for the scammer."
Tener said the scammers mostly targeted new students because they tend to be less tech savvy and more willing to share their Net-ID. Job scams often seem too good to be true, and it's important never to forward them to others and compound the issue, he said.
Be skeptical
Tener said when someone receives an email they feel is phishing for information, users can highlight it in Outlook and click "Report Phishing" under the "Message" tab. Or, on a mobile device, select the message, tap the three dots at the top of the screen, choose "Report Junk" and select phishing to send it to ITS staff.
When ITS receives a phishing or job scam email, staff immediately scrambles the account password, revokes all active sessions logged into the account, deletes the email out of every ISU recipient's email account and contacts the individual on their mobile phone to explain what is happening and help restore access to the account.
"When it comes to your password, only ever enter it into login.iastate.edu and Eduroam for wireless internet access," Tener said. "No ISU employee will ever ask you for your password."
To combat the scammers and limit further issues, individuals from the identity services team, Solutions Center and IT security worked together and responded to suspicious emails.
