Beware of Scams

These job offers are often unsolicited, meaning you never applied or interviewed for the job. Other times, you are invited to apply for a job with unusually desirable conditions (short hours, easy work, lots of money, ability to work from home); after you apply, a short and easy interview process, light on actual job details, may be conducted. These scams can also start with someone offering to help you with your resume or find a placement in a job. Read more about unexpected student job offers

You may have received an email about pension or retirement assistance that included a link to make an appointment for a consultation. Please note that this third-party marketing company has not been vetted by UCSC as a viable option as employees to use in retirement planning. Employees are always welcome to have a financial consultant of their own choosing, but we wanted to make sure anyone receiving this email knew this was not a university sponsored company. If you receive this email, please do not respond or click on any links within; just delete the message

UCSC approved retirement services can be found on the Staff Human Resouces website.

For more information about this consultation please visit Be careful about financial adviser solicitations.

Impersonation Spoofing is an email scam that involves using an email account with the Display Name of a sender that is known to the recipient - typically a co-worker or a person in a position of authority. The goal is to obtain information, money, or direct access to systems. Attackers may research the target so they know enough to convince you to trust them or they will bet on your want to please someone like your boss to complete their task. Check the email address that the message came from. It is very important that all users verify unusual requests by verifying the email FROM address or speaking to them directly as opposed to relying on the message signature and/or display name itself before taking any action.

The practice of trying to trick or manipulate people into breaking normal security procedures is called “Social Engineering”. The principle behind social engineering and scams in general is that people are the weak link in security – that it can be easier to trick people than to hack into computing systems by force. 

Social engineers exploit people’s natural tendency to want to trust and be helpful. They also take advantage of our tendency to act quickly when faced with a crisis. The scams described on this page are all classic examples of social engineering.

• Phishing is a scam designed to steal information or passwords, compromise computers or trick you out of money - typically via deceptive emails, texts, posts on social networking sites, pop-ups or phone calls. For more information on what to watch-out for go to Avoiding Phishing Emails.
• Hover over any links to see specifically where you are being directed.  If it's not legit, don't click.
• Some examples include:
  • “There’s a problem with your account” – trying to trick you into sending your password or clicking on a link in order to fix a problem.
  • Phony security alerts – email, pop-ups or Facebook notices warning that your computer is at risk of being infected, typically with a link to click.
  • Phony computer support
  • Money Phishing – trying to trick you out of money or bank/credit card account info. Often by pretending to be someone from another country who needs assistance accessing a large sum of money. Or a friend stuck in another country without any money. Or an IRS agent claiming that you owe taxes and must pay immediately over the phone.

If you think you have discovered a Phishing scam, report it to Google. Train your spam filter:

• Open the message in Gmail (in your web browser)
• Click the three vertical dots ' ⋮ ' next to reply
• Choose 'Report phishing'

If you receive a threatening phishing email report it to the Police Department.

Delete spam and suspicious emails; don't open, forward, or reply to them. They are in your spam folder for a reason.

More on Gmail

• Gmail training and help
• Google's Avoid and report phishing emails
• UCSC Google Gmail

Business Email Compromise (BEC): Carefully planned and researched attacks that impersonate a company executive vendor or supplier.

Compromise: Disclosure of information to unauthorized persons, or a violation of the security policy of a system in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object may have occurred.

Data breach: This is a type of security incident where confidential or protected information has been exposed and stolen due to unauthorized access. A data breach can be intentional or accidental. A cybercriminal may hack the database of a company where you’ve shared your personal information. Or an employee at that company may accidentally expose your information on the Internet.

Fake Invoices: Attachments that look like invoices but are really scams.

Hacking: Hacking is the act of identifying and then exploiting weaknesses in a computer system or network, usually to gain unauthorized access to personal or organizational data. Types of hacking include: social engineering, hacking passwords, infecting devices with malware, exploiting insecure wireless networks, gaining backdoor access, spying on emails, logging keystrokes, and creating zombie computers.

Hacker: Also called phishers or scammers, hackers breach defenses to gain unauthorized access into computers, phones, tablets, IoT devices, networks, or entire computing systems. Hackers also take advantage of weaknesses in network security to gain access. The reasons for hacking can be many: installing malware, stealing or destroying data, disrupting service, and more.

Phishing: An email sent from an Internet criminal disguised as an email from a legitimate, trustworthy source. The message is meant to lure you into revealing sensitive or confidential information.

Types of Phishing:

• Angler Phishing: Anglers use fake social media posts to get people to provide login info or download malware.

• Impersonation Spoofing: Describes a criminal who impersonates another individual or organization, with the intent to gather personal or business information.

• Pharming: A malicious website that resembles a legitimate website, used to gather usernames and passwords.

• SMS Phishing or "Smishing": Phishing through some form of a text message or SMS.

• Spear Phishing: When criminals obtain information about you from websites or social networking sites, and customize a phishing scheme to you.

• Voice phishing or "Vishing": A form of social engineering. It is a fraudulent phone call designed to obtain sensitive information such as login credentials. For instance, the attacker might call pretending to be a support agent or representative of your company.

• Whaling: When attackers go after a "big fish" like a CEO. These attackers often spend considerable time profiling the target to find the opportune moment and means to steal login credentials. Whaling is of particular concern because high-level executives are able to access a great deal of sensitive company information.

Pop-up Scams: Uses a pop-up about a problem with your computer’s security or some other issue to trick you into clicking. You are then directed to download a file, which ends up being malware, or to call what is supposed to be a support center.

Ransomware: Scams that lock your computer and you have to pay money to get it unlocked. This is also a double-whammy because you also give the attacker your credit card information.

Robocalls: A robocall is a call that delivers pre-recorded messages through auto-dialing software to millions of people each day. If you answer your phone and hear a recorded message instead of a real person speaking, you are listening to a robocall. Some robocalls provide useful information, such as appointment reminders or flight cancellations. Mostly, though, they are trying to sell you something, and many of them are scams.

Spam: Unsolicited and unwanted junk email sent out in bulk to a wholesale recipient list. Typically, spam is sent for commercial purposes. While these emails can be a nuisance, they are not considered malicious.

Survey Scams: Be cautious about the legitimacy of the form. Were you expecting a survey? Do you know the company or topic it is asking about? Is it asking for personal information?

Make sure your computer is protected with anti-virus and all necessary security "patches" and updates, and that you know what you need to do, if anything, to keep them current. For more information on how to stay secure on your devices visit How to Stay Secure.

• Don't open files, click links, or call numbers in unsolicited emails, text messages, IMs, Facebook postings, tweets, etc.
  • Instead of clicking on a link, look up the website yourself by a method you know to be legitimate.
  • If you can't verify something is legitimate, ignore or delete it.
• Don’t click on links in pop-up ads/windows; Trust your web browser’s pop-up blocker, if it has one.

Key indicators:

• You are being asked for personal or private information, your password, financial account information, address, date of birth, Social Security Number, address or money, even in the form of gift-cards or blank checks.
• Scare tactics or threats stressing that if you don't act quickly something bad will happen
• Promises of something too good to be true. This includes bargains and “great offers,” or links to claim an award/reward.
• Other indicators that an email isn’t legitimate:
  • It’s not addressed to you, specifically, by name.
  • The sender isn’t specified, isn’t someone you know, or doesn’t match the “from” address. 
  • It has spelling or grammatical errors.
  • It includes links to pictures or videos from people you don’t personally know

If you find yourself among the millions of people who have responded to phishing and have exposed their personal information, you should report it and perform the following based on the information you revealed.

• If the phishing message was directed to your UCSC email account, report the incident to ITS Information Security through the UCSC ITS Support Center at extension 9-4357 or help@ucsc.edu.
• If you believe you have been a victim of fraud or identity theft, immediately notify your local police jurisdiction and cease all contact with the suspect organization. You can also contact the UC Santa Cruz Police Department Dispatch Center to speak with an officer at 831-459-2231 (option 1).

Choose the actions based on the information you revealed

If you exposed your UCSC CruzID Passwords

• Immediately change your UCSC passwords. If you use this password on other non UCSC accounts, change those to new unique passwords ASAP. See how to change your CruzID password.
• Report the phishing attempt to Google by marking it phishing.

If you expose your Bank or Credit Card Account Number, Password or PIN

• Call the bank’s hotline, usually printed on the back of your bank card, and report the incident.
• If you have transferred money to a scammer, report the incident to your local police.
• Inspect your statements carefully for signs of account misuse.
• Determine if you want to put a lock on your credit records. This will keep anyone from opening a new account.
• Go to your bank’s online website and look for information about fraud, phishing or identity theft. Find out what your bank expects you to do.

If any piece of personal information was exposed

that could be used to open financial accounts (e.g., your Social Security Number, date of birth, place of birth, mother's maiden name, bank account numbers, and/or credit card numbers)

• Put a lock on all four of your credit reports to block the creation of any new credit card accounts. When you lock your credit record, no other organization can check your credit without your permission and this will keep anyone from opening a new account.
  • Equifax
  • Experian
  • TransUnion
• Sign up for their credit monitoring service, a fee-based service that will automatically notify you whenever your credit record is accessed.
• Review the recommendations from the Social Security Administration about identity theft and your Social Security Number.

Notify the Federal Trade Commission (FTC) that you have been phished

The FTC is the nation's consumer protection agency. The FTC's Bureau of Consumer Protection works for the consumer to prevent fraud, deception and unfair business practices in the marketplace.

Follow the advice listed here:

• FTC - Avoiding and Reporting Scams
• FTC - Fake Check Scams Infographic
• FTC - Identity Theft
• FTC - Report identity theft and get a recovery plan

These websites of national agencies that deal with Internet fraud provide helpful information about dealing with identity theft issues

• The Identity Theft Resource Center
• The Internet Crime Complaint Center