Beware of Scams
On this page:
- Criminals and hackers are constantly coming up with new schemes designed to compromise computers, trick you into revealing valuable information (personal, financial, etc.), steal passwords, or trick you out of money.
- It can be difficult to know if someone is telling the truth on the Internet.
- Scams can lead to identity theft, regular theft, access to your accounts and personal information, and compromised computers.
- A compromised computer can put ALL of your information and passwords at risk
The practice of trying to trick or manipulate people into breaking normal security procedures is called “Social Engineering”. The principle behind social engineering and scams in general is that people are the weak link in security – that it can be easier to trick people than to hack into computing systems by force.
Social engineers exploit people’s natural tendency to want to trust and be helpful. They also take advantage of our tendency to act quickly when faced with a crisis. The scams described on this page are all classic examples of social engineering.
Scams commonly use email, the internet, or the telephone to trick people into revealing sensitive information or get them to do something that is against policy. Key indicators:
- You are being asked for personal or private information, your password, financial account information, Social Security Number, or money.
- Unexpected/unsolicited email with a link or an attachment
- Requests that you forward emails, attachments, links, etc. to your friends, co-workers or family
- Promises of something too good to be true. This includes bargains and “great offers,” or links to claim an award/reward.
- Other indicators that an email isn’t legitimate:
- It’s not addressed to you, specifically, by name.
- The sender isn’t specified, isn’t someone you know, or doesn’t match the “from” address.
- It has spelling or grammatical errors.
- It has a link that doesn’t seem match where the email says the link will take you, or an attachment with an incorrect or suspicious filename – or a suspicious file extension (e.g.: *.zip, *.exe, *.vbs, *.bin, *.com, *.pif, *.zzx)
- It has a link/attachment to view an unexpected e-card or track an unknown package
- It includes links to pictures or videos from people you don’t personally know
- Phishing is a scam designed to steal information or passwords, compromise computers or trick you out of money - typically via deceptive emails, texts, posts on social networking sites, pop-ups or phone calls. A phisher may ask for your name, account information, date of birth, Social Security number, address, etc. They may also try to get you to click on a link or open a file.
- Some examples include:
- “There’s a problem with your account” – trying to trick you into sending your password or clicking on a link in order to fix a problem.
- “Click this link” – trying to trick you into clicking on a malicious link designed to steal your information or infect your computer.
- “Open this attachment" – similar to “click this link,” scams designed to trick you into opening a harmful attachment.
- Phony security alerts – email, pop-ups or Facebook notices warning that your computer is at risk of being infected, typically with a link to click.
- Money Phishing – trying to trick you out of money or bank/credit card account info. Often by pretending to be someone from another country who needs assistance accessing a large sum of money. Or a friend stuck in another country without any money.
- UCSC and ITS and other reputable organizations will NEVER email you for your password, Social Security number, or any confidential or personal information.
- Phishing and Spam IQ Quiz: SonicWALL has published a fun, informative quiz to test how well you distinguish between email schemes and legitimate email.
Impersonation: attackers pose as someone in authority, or an IT representative, in order to obtain information or direct access to systems. Attackers may research the target so they know enough to convince you to trust them.
Dumpster Diving: going through trash to obtain valuable information for targeted attacks. Any sensitive information--paper or electronic--that is thrown away or recycled intact is vulnerable to dumpster diving.
- Make sure your computer is protected with anti-virus and all necessary security "patches" and updates, and that you know what you need to do, if anything, to keep them current.
- Don't respond to email, instant messages (IM), texts, phone calls, etc., asking for your password. You should never disclose your password to anyone, even if they say they work for UCSC, ITS, other campus organizations, or places you do business with (like your bank).
- Don’t give sensitive personal, financial, log-in, business, system or network information to anyone you don’t know or who doesn't have a legitimate need for it -- in person, over the phone, via email, IM, text, Facebook, Twitter, etc.
- Don't open files, click links, or call numbers in unsolicited emails, text messages, IMs, Facebook postings, tweets, etc.
- Instead of clicking on a link, look up the website yourself by a method you know to be legitimate – or contact the sender separately by a method you know to be legitimate to verify.
- Malicious links can infect your computer or take you to web pages designed to steal your information. Malicious attachments can infect your computer. Even semingly legitimate links and attachments can be harmful.
- If you can't verify something is legitimate, ignore or delete it.
- Cryptic or shortened URLs (e.g. Tiny URLs) are particularly risky because you can't easily tell where they are supposed to go.
- Don’t click on links in pop-up ads/windows. Use your web browser’s pop-up blocker, if it has one, to help prevent these ads from getting through.
- Delete spam and suspicious emails; don't open, forward or reply to them.
- Some email and general security tips from eWeek.com: Email Security: 10 Steps for Dealing With Dangerous Messages
Report spam and phishing to Google:
- You must do this from your email on Google's website: email.ucsc.edu
- For spam, select the message and click on the spam button in the toolbar above your message list (the one that looks like a stop sign with an exclamation mark).
- To report phishing, open the message and click on the little drop down arrow next to the reply button in the top right corner of the email and select "Report phishing" (you can also report spam this way). For additional details, see Google's instructions.
Rev. December 2012