Protect Yourself from Scams
On This Page:
Criminals and hackers are constantly coming up with new scams designed to compromise computers, steal passwords, trick you into revealing valuable information (personal, financial, etc.), or trick you out of money. Scams can lead to identity theft, regular theft, access to your accounts and personal information, and compromised computers. A compromised computer can put ALL of your information and passwords at risk.
How to Protect Yourself
Make sure your computer is protected with anti-virus software and all necessary security patches and updates, and that you know what you need to do to keep them current. For more information on how to stay secure on your devices visit How to Stay Secure.
What to Look Out For
The principle behind the scams listed below is that people are the weak link in security — that it can be easier to trick people than to hack computing systems. Many scams exploit people’s tendencies to trust and be helpful. They also take advantage of our tendency to act quickly when faced with a crisis.
Student Job Offer Scams
These job offers are often unsolicited, meaning you never applied or interviewed for the job. Other times, you are invited to apply for a job with unusually desirable conditions (short hours, easy work, lots of money, ability to work from home); after you apply, a short and easy interview process, light on actual job details, may be conducted. These scams can also start with someone offering to help you with your resume or find a job. For more information, visit the Student Job Offer Scams page.
Financial Adviser Solicitations
Watch out for unauthorized and misleading financial adviser solicitations. These messages, delivered through emails, invitations, and cold calls, may offer you help with retirement planning. Most are intentionally misleading and suggest that UC is endorsing their services. It’s easy to confuse these unauthorized advisers with UC-contracted financial planning services. If you receive an unsolicited email from a financial adviser, please do not respond or click on any links within; just delete the message. For more information, please visit UC's Be careful about financial adviser solicitations page.
Phishing
Phishing is a scam designed to steal information or passwords, compromise computers, or trick you out of money, typically via deceptive emails, texts, posts on social networking sites, pop-ups, or phone calls. For more information on what to watch out for, go to Avoiding Phishing Emails. If you suspect that an email is not legit, don't click on it. Instead, check the sender’s email address and verify it or speak to the sender directly before taking any action. For more information, have a look at UC Santa Cruz’s General Phishing Awareness video.
Some examples of phishing emails include:
- Impersonation spoofing, in which a criminal impersonates another individual or organization with the intent to gather personal or business information. Attackers may research their target so they can gain trust, or they may bet on the target’s desire to please a co-worker or boss.
- Phony tech support emails, with subject lines such as “There’s a problem with your account,” which are meant to trick you into sending your password or clicking on a link in order to fix a problem.
- Phony security alerts, such as emails, pop-ups, or Facebook notices warning that your computer is at risk of being infected, typically with a link to click.
- Requests for money, such as emails or phone calls from someone pretending to be from another country that needs assistance accessing a large sum of money, a friend stuck in another country without any money, or an IRS agent claiming that you owe taxes and must pay immediately over the phone.
Other kinds of phishing scams include:
- Angler Phishing, in which scammers use fake social media posts to get you to provide log-in info or download malware.
- SMS Phishing or "Smishing," which refers to phishing through some form of a text message or SMS.
- Spear Phishing, in which criminals obtain information about you from websites or social networking sites and customize a phishing scheme to you.
- Voice phishing or "Vishing,” in which you receive a fraudulent call designed to obtain sensitive information such as log-in credentials. For instance, the attacker might call pretending to be a support agent or representative of your company.
- Whaling, in which attackers go after a "big fish" like a CEO. These attackers often spend considerable time profiling the target to find the opportune moment and means to steal log-in credentials. Whaling is of particular concern because high-level executives are able to access a great deal of sensitive company information.
Latest Phishing Attempts
For real examples of what phishing scams are currently targeting students, faculty, and staff, visit the ITS Phish Bowl page.
Reporting Phishing to Google
If you think you have discovered a Phishing scam, report it to Google.
- Open the message in Gmail (in your web browser).
- Click the three vertical dots ( ⋮ ) next to “Reply.”
- Choose “Report phishing.”
For more information, have a look at UCSC’s Reporting Phishing to Gmail Tutorial video.
If you receive a threatening phishing email, also report it to your local police department.
What to Do If You Have Responded to a Phishing Scam
If you find yourself among the millions of people who have responded to phishing and have exposed their personal information, you should report it and perform the following actions based on the information you revealed.
- If the phishing message was directed to your UCSC email account, report the incident to ITS Information Security through the UCSC ITS Support Center.
- If you believe you have been a victim of fraud or identity theft, immediately notify your local police jurisdiction and cease all contact with the suspect organization. You can also contact the UCSC Police Department Dispatch Center to speak with an officer at 831-459-2231 (option 1).
If Your UCSC CruzID Passwords Have Been Exposed
- Immediately change your UCSC passwords. If you use this password on other non-UC Santa Cruz accounts, change those to new unique passwords ASAP. Visit the Resetting CruzID Blue and Gold passwords page for instructions.
- Report the phishing attempt to Google.
If Your Bank or Credit Card Account Number, Password, or PIN Has Been Exposed
- Call your bank’s hotline, usually printed on the back of your bank card, and report the incident.
- If you have transferred money to a scammer, report the incident to your local police.
- Inspect your account statements carefully for signs of misuse.
- Consider locking your credit records. This will keep anyone from opening a new account.
- Go to your bank’s online website for information about fraud, phishing or identity theft. Find out what your bank expects you to do.
If Any Personal Information Was Exposed
- Put a lock on your credit reports at Equifax, Experian, and TransUnion to block the creation of any new credit card accounts. When you lock your credit record, no other organization can check your credit without your permission, and this will keep anyone from opening a new account.
- Sign up for their credit monitoring service, a fee-based service that will automatically notify you whenever your credit record is accessed.
- Review the recommendations from the Social Security Administration about identity theft and your Social Security Number.
Notify the Federal Trade Commission (FTC) That You Have Been Phished
The FTC is the nation's consumer protection agency and works to prevent fraud, deception, and unfair business practices in the marketplace. You can report phishing and other scams on the FTC’s Report Fraud page. If you are a victim of identity theft, visit the FTC’s Identity Theft page.
The following websites of national agencies that deal with internet fraud also provide helpful information about dealing with identity theft issues:
Information Security Scams Glossary
Business Email Compromise (BEC): Carefully planned and researched attacks that impersonate a company executive, vendor, or supplier.
Compromise: Disclosure of information to unauthorized persons, or a violation of the security policy of a system in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object may have occurred.
Data Breach: A security incident where confidential or protected information has been exposed and stolen due to unauthorized access. A data breach can be intentional or accidental. A cybercriminal may hack the database of a company where you’ve shared your personal information, or an employee at that company may accidentally expose your information on the internet.
Fake Invoice: An attachment that looks like an invoice but is really a scam.
Hacker: Also called phishers or scammers, hackers breach defenses to gain unauthorized access to computers, phones, tablets, IoT devices, networks, or entire computing systems. Hackers take advantage of weaknesses in network security to install malware, steal or destroy data, disrupt service, and more.
Hacking: Hacking is the act of identifying and then exploiting weaknesses in a computer system or network, usually to gain unauthorized access to personal or organizational data. Types of hacking include: hacking passwords, infecting devices with malware, exploiting insecure wireless networks, spying on emails, and logging keystrokes..
Phishing: The practice of sending fraudulent emails or other messages disguised as messages from trustworthy sources, meant to lure you into revealing sensitive or confidential information.
Pharming: A type of online scam where cybercriminals trick users into visiting fake websites that resemble legitimate ones to steal their personal information, such as passwords or credit card details.
Pop-up Scam: Use a pop-up about a problem with your computer’s security or some other issue to trick you into clicking. You are then directed to download a file, which ends up being malware, or to call what is supposed to be a support center.
Ransomware: A scam that locks your computer and demands money to unlock it. This is a double whammy because you also give the attacker your credit card information.
Robocall: A call that delivers a prerecorded message through autodialing software to millions of people each day. If you answer your phone and hear a recorded message instead of a real person speaking, you are listening to a robocall. Some robocalls provide useful information, such as appointment reminders or flight cancellations, but some are trying to sell you something, and many of them are scams.
Spam: Unsolicited and unwanted junk email sent out in bulk to a wholesale recipient list. Typically, spam is sent for commercial purposes. While these emails can be a nuisance, they are not considered malicious.
Survey Scam: A fraudulent online or email survey that asks for personal or financial information. Be cautious about the legitimacy of any unexpected survey, especially if you do not know the company or topic and it is asking for personal information.
Compromise: Disclosure of information to unauthorized persons, or a violation of the security policy of a system in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object may have occurred.
Data breach: A security incident where confidential or protected information has been exposed and stolen due to unauthorized access. A data breach can be intentional or accidental. A cybercriminal may hack the database of a company where you’ve shared your personal information. Or an employee at that company may accidentally expose your information on the Internet.
Fake Invoices: An attachment that looks like an invoice but is really a scam.
Hacker: Also called phishers or scammers, hackers breach defenses to gain unauthorized access to computers, phones, tablets, IoT devices, networks, or entire computing systems. Hackers take advantage of weaknesses in network security to install malware, steal or destroy data, disrupt service, and more.
Hacking: Hacking is the act of identifying and then exploiting weaknesses in a computer system or network, usually to gain unauthorized access to personal or organizational data. Types of hacking include: hacking passwords, infecting devices with malware, exploiting insecure wireless networks, spying on emails, and logging keystrokes.
Phishing: The practice of sending fraudulent emails or other messages disguised as messages from trustworthy sources, meant to lure you into revealing sensitive or confidential information.
Pharming: A type of online scam where cybercriminals trick users into visiting fake websites that resemble legitimate ones to steal their personal information, such as passwords or credit card details.
Pop-up Scams: Use a pop-up about a problem with your computer’s security or some other issue to trick you into clicking. You are then directed to download a file, which ends up being malware, or to call what is supposed to be a support center.
Ransomware: A scam that locks your computer and demands money to unlock it. This is a double whammy because you also give the attacker your credit card information.
Robocalls: A call that delivers a prerecorded message through auto-dialing software to millions of people each day. If you answer your phone and hear a recorded message instead of a real person speaking, you are listening to a robocall. Some robocalls provide useful information, such as appointment reminders or flight cancellations, but some are trying to sell you something, and many of them are scams.
Spam: Unsolicited and unwanted junk email sent out in bulk to a wholesale recipient list. Typically, spam is sent for commercial purposes. While these emails can be a nuisance, they are not considered malicious.
Survey Scams: A fraudulent online or email survey that asks for personal or financial information. Be cautious about the legitimacy of any unexpected survey, especially if you do not know the company or topic and it is asking for personal information.