Beware of Scams
Criminals and hackers are constantly coming up with new schemes designed to compromise computers, steal passwords, trick you into revealing valuable information (personal, financial, etc.), or trick you out of money.
It can be difficult to know if someone is telling the truth on the Internet.
Scams can lead to identity theft, regular theft, access to your accounts and personal information, and compromised computers.
A compromised computer can put ALL of your information and passwords at risk
The practice of trying to trick or manipulate people into breaking normal security procedures is called “Social Engineering”. The principle behind social engineering and scams in general is that people are the weak link in security – that it can be easier to trick people than to hack into computing systems by force.
Social engineers exploit people’s natural tendency to want to trust and be helpful. They also take advantage of our tendency to act quickly when faced with a crisis. The scams described on this page are all classic examples of social engineering.
Scams commonly use email, the internet, or the telephone to trick people into revealing sensitive information or get them to do something that is against policy. Key indicators:
- You are being asked for personal or private information, your password, financial account information, Social Security Number, or money.
- Unexpected/unsolicited email with a link or an attachment
- Scare tactics or threats stressing that if you don't act quickly something bad will happen
- Promises of something too good to be true. This includes bargains and “great offers,” or links to claim an award/reward.
- Requests that you forward emails, attachments, links, etc. to your friends, co-workers or family
- Other indicators that an email isn’t legitimate:
- It’s not addressed to you, specifically, by name.
- The sender isn’t specified, isn’t someone you know, or doesn’t match the “from” address.
- It has spelling or grammatical errors.
- It has a link that doesn’t seem match where the email says the link will take you, or an attachment with an incorrect or suspicious filename – or a suspicious file extension (e.g.: *.zip, *.exe, *.vbs, *.bin, *.com, *.pif, *.zzx)
- It has a link/attachment to view an unexpected e-card or track an unknown package
- It includes links to pictures or videos from people you don’t personally know
- Phishing is a scam designed to steal information or passwords, compromise computers or trick you out of money - typically via deceptive emails, texts, posts on social networking sites, pop-ups or phone calls. A phisher may ask for your name, account information, date of birth, Social Security number, address, etc. They may also try to get you to click on a link or open a file.
- Some examples include:
- “There’s a problem with your account” – trying to trick you into sending your password or clicking on a link in order to fix a problem.
- Phony security alerts – email, pop-ups or Facebook notices warning that your computer is at risk of being infected, typically with a link to click.
- Phony computer support - see example below
- Money Phishing – trying to trick you out of money or bank/credit card account info. Often by pretending to be someone from another country who needs assistance accessing a large sum of money. Or a friend stuck in another country without any money. Or an IRS agent claiming that you owe taxes and must pay immediately over the phone.
- UCSC and ITS and other reputable organizations will NEVER email you for your password, Social Security number, or any confidential or personal information.
- Phishing and Spam IQ Quiz: SonicWALL has published a fun, informative quiz to test how well you distinguish between email schemes and legitimate email.
- For examples of email phishing scams see the UCLA "Phish Bowl".
Impersonation: Attackers pose as someone in authority, or an IT representative, in order to obtain information or direct access to systems. Attackers may research the target so they know enough to convince you to trust them.
- An example of this is an IRS scam that is targeting students.
- Another example of this is the "Microsoft computer support" scam. Someone supposedly from the Microsoft or Windows Support Center calls you and tells you there's a problem with your computer, or someone's trying to hack in. They usually have you run some simple commands then they ask you to install something that will allow them to "fix the problem". They might send you an attachment or a link, or just read you a URL. Following the instructions will give them full access to your computer to do whatever they want.
Ransomware: Scams that lock your computer and you have to pay money to get it unlocked. A classic example is: You get a popup telling you that there is a problem with your computer. The popup offers you free or cheap "anti-virus" to fix the problem. After you install the fake anti-virus, it locks your computer and you have to pay to get it unlocked. Another recent variant is that the popup prompts you to sign in with your windows account or email or something in order for "Windows" to fix the problem. After you sign in, the program locks your browser. In order to unlock it you need to buy "anti-virus" for $200 or $300. This is also a double-whammie because you also give the attacker your credit card information.
Dumpster Diving: Going through trash to obtain valuable information for targeted attacks. Any sensitive information--paper or electronic--that is thrown away or recycled intact is vulnerable to dumpster diving.
- Make sure your computer is protected with anti-virus and all necessary security "patches" and updates, and that you know what you need to do, if anything, to keep them current.
- Don't respond to email, instant messages (IM), texts, phone calls, etc., asking for your password. You should never disclose your password to anyone, even if they say they work for UCSC, ITS, other campus organizations, or places you do business with (like your bank).
- Don’t give sensitive personal, financial, log-in, business, system or network information to anyone you don’t know or who doesn't have a legitimate need for it -- in person, over the phone, via email, IM, text, Facebook, Twitter, etc.
- Don't open files, click links, or call numbers in unsolicited emails, text messages, IMs, Facebook postings, tweets, etc.
- Instead of clicking on a link, look up the website yourself by a method you know to be legitimate – or contact the sender separately by a method you know to be legitimate to verify.
- Malicious links can infect your computer or take you to web pages designed to steal your information. Malicious attachments can infect your computer. Even semingly legitimate links and attachments can be harmful.
- If you can't verify something is legitimate, ignore or delete it.
- Cryptic or shortened URLs (e.g. Tiny URLs) are particularly risky because you can't easily tell where they are supposed to go.
- Don’t click on links in pop-up ads/windows; don;t respond to them in any way. Use your web browser’s pop-up blocker, if it has one, to help prevent these ads from getting through.
- Delete spam and suspicious emails; don't open, forward or reply to them.
- Some email and general security tips from eWeek.com (from 2012, but still relevant): Email Security: 10 Steps for Dealing With Dangerous Messages
Report spam and phishing to Google:
- You must do this from your email on Google's website: email.ucsc.edu
- For spam, select the message and click on the spam button in the toolbar above your message list (the one that looks like a stop sign with an exclamation mark).
- To report phishing, open the message and click on the little drop down arrow next to the reply button in the top right corner of the email and select "Report phishing" (you can also report spam this way). For additional details, see Google's instructions.
Contact the ITS Support Center if your computer has been comprised, you have been scammed, or you would like your computer configured to meet these requirements. If you have questions, contact the Support Center or your ITS Divisional Liaison.