Protect Yourself from Scams

Make sure your computer is protected with antivirus software and all necessary security "patches" and updates, and that you know what you need to do, if anything, to keep them current. For more information on how to stay secure on your devices visit How to Stay Secure.

The principle behind the scams listed below is that people are the weak link in security — that it can be easier to trick people than to hack computing systems. Many scams exploit people’s tendencies to trust and be helpful. They also take advantage of our tendency to act quickly when faced with a crisis.

These job offers are often unsolicited, meaning you never applied or interviewed for the job. Other times, you are invited to apply for a job with unusually desirable conditions (short hours, easy work, lots of money, ability to work from home); after you apply, a short and easy interview process, light on actual job details, may be conducted. These scams can also start with someone offering to help you with your resume or find a job. For more information, visit the Student Job Offer Scams page.

Watch out for unauthorized and misleading financial adviser solicitations. These messages, delivered through emails, invitations, and cold calls, may offer you help with retirement planning. Most are intentionally misleading and suggest that UC is endorsing their services. It’s easy to confuse these unauthorized advisers with UC-contracted financial planning services. If you receive an unsolicited email from a financial adviser, please do not respond or click on any links within; just delete the message. For more information please visit Be careful about financial adviser solicitations.

Phishing is a scam designed to steal information or passwords, compromise computers, or trick you out of money, typically via deceptive emails, texts, posts on social networking sites, pop-ups, or phone calls. For more information on what to watch out for, go to Avoiding Phishing Emails. If you suspect that an email is not legit, don't click on it. Instead, check the sender’s email addressand verify it or speak to the sender directly before taking any action. For more information, have a look at UCSC’s General Phishing Awareness video.

Some examples of phishing emails include:

• Impersonation spoofing, in which a criminal impersonates another individual or organization with the intent to gather personal or business information. Attackers may research their target so they can gain trust, or they may bet on the target’s desire to please a co-worker or boss.
• Phony tech support emails, with subject lines such as “There’s a problem with your account,” which are meant to trick you into sending your password or clicking on a link in order to fix a problem.
• Phony security alerts, such as emails, pop-ups, or Facebook notices warning that your computer is at risk of being infected, typically with a link to click.
• Requests for money, such as emails or phone calls from someone pretending to be from another country that needs assistance accessing a large sum of money, a friend stuck in another country without any money, or an IRS agent claiming that you owe taxes and must pay immediately over the phone.

Other kinds of phishing scams include:

• Angler Phishing, in which scammers use fake social media posts to get you to provide login info or download malware.
• SMS Phishing or "Smishing," which refers to phishing through some form of a text message or SMS.
• Spear Phishing, in which criminals obtain information about you from websites or social networking sites and customize a phishing scheme to you.
• Voice phishing or "Vishing,” in which you receive a fraudulent call designed to obtain sensitive information such as login credentials. For instance, the attacker might call pretending to be a support agent or representative of your company.
• Whaling, in which attackers go after a "big fish" like a CEO. These attackers often spend considerable time profiling the target to find the opportune moment and means to steal login credentials. Whaling is of particular concern because high-level executives are able to access a great deal of sensitive company information.

Reporting Phishing to Google

If you think you have discovered a Phishing scam, report it to Google. Train your spam filter:

• Open the message in Gmail (in your web browser)
• Click the three vertical dots ' ⋮ ' next to reply
• Choose 'Report phishing'

For more information, have a look at UCSC’s Reporting Phishing to Gmail Tutorial video.

If you receive a threatening phishing email, also report it to your local police department.

If you find yourself among the millions of people who have responded to phishing and have exposed their personal information, you should report it and perform the following based on the information you revealed.

• If the phishing message was directed to your UCSC email account, report the incident to ITS Information Security through the UCSC ITS Support Center .
• If you believe you have been a victim of fraud or identity theft, immediately notify your local police jurisdiction and cease all contact with the suspect organization. You can also contact the UC Santa Cruz Police Department Dispatch Center to speak with an officer at 831-459-2231 (option 1).

If Your UCSC CruzID Passwords Have Been Exposed

• Immediately change your UCSC passwords. If you use this password on other non UCSC accounts, change those to new unique passwords ASAP. Visit the ”Resetting CruzID Blue and Gold passwords” page for instructions.
• Report the phishing attempt to Google.

If Your Bank or Credit Card Account Number, Password, or PIN Has Been Exposed

• Call your bank’s hotline, usually printed on the back of your bank card, and report the incident.
• If you have transferred money to a scammer, report the incident to your local police.
• Inspect your account statements carefully for signs of misuse.
• Consider locking your credit records. This will keep anyone from opening a new account.
• Go to your bank’s online website for information about fraud, phishing or identity theft. Find out what your bank expects you to do.

If Any Personal Information Was Exposed

• Put a lock on your credit reports at Equifax, Experian, and TransUnion to block the creation of any new credit card accounts. When you lock your credit record, no other organization can check your credit without your permission, and this will keep anyone from opening a new account.
• Sign up for their credit monitoring service, a fee-based service that will automatically notify you whenever your credit record is accessed.
• Review the recommendations from the Social Security Administration about identity theft and your Social Security Number.
• If your driver's license or identification card was exposed, contact your local DMV office to report the theft of your driver's license or ID card and ask them to put a fraud alert on your license/identification card.

Notify the Federal Trade Commission (FTC) That You Have Been Phished

The FTC is the nation's consumer protection agency and works to prevent fraud, deception, and unfair business practices in the marketplace. You can report phishing and other scams on the FTC’s Report Fraud.If you are a victim of identity theft, visit the FTC’s Identity Theft page.

The following websites of national agencies that deal with Internet fraud also provide helpful information about dealing with identity theft issues:

• The Identity Theft Resource Center
• The Internet Crime Complaint Center

Business Email Compromise (BEC): Carefully planned and researched attacks that impersonate a company executive, vendor, or supplier.

Compromise: Disclosure of information to unauthorized persons, or a violation of the security policy of a system in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object may have occurred.

Data breach: A security incident where confidential or protected information has been exposed and stolen due to unauthorized access. A data breach can be intentional or accidental. A cybercriminal may hack the database of a company where you’ve shared your personal information. Or an employee at that company may accidentally expose your information on the Internet.

Fake Invoices: An attachment that looks like an invoice but is really a scam.

Hacker: Also called phishers or scammers, hackers breach defenses to gain unauthorized access to computers, phones, tablets, IoT devices, networks, or entire computing systems. Hackers take advantage of weaknesses in network security to install malware, steal or destroy data, disrupt service, and more.

Hacking: Hacking is the act of identifying and then exploiting weaknesses in a computer system or network, usually to gain unauthorized access to personal or organizational data. Types of hacking include: hacking passwords, infecting devices with malware, exploiting insecure wireless networks, spying on emails, and logging keystrokes.

Phishing: The practice of sending fraudulent emails or other messages disguised as messages from trustworthy sources, meant to lure you into revealing sensitive or confidential information.

Pharming: A type of online scam where cybercriminals trick users into visiting fake websites that resemble legitimate ones to steal their personal information, such as passwords or credit card details.

Pop-up Scams: Use a pop-up about a problem with your computer’s security or some other issue to trick you into clicking. You are then directed to download a file, which ends up being malware, or to call what is supposed to be a support center.

Ransomware: A scam that locks your computer and demands money to unlock it. This is a double whammy because you also give the attacker your credit card information.

Robocalls: A call that delivers a prerecorded message through auto-dialing software to millions of people each day. If you answer your phone and hear a recorded message instead of a real person speaking, you are listening to a robocall. Some robocalls provide useful information, such as appointment reminders or flight cancellations, but some are trying to sell you something, and many of them are scams.

Spam: Unsolicited and unwanted junk email sent out in bulk to a wholesale recipient list. Typically, spam is sent for commercial purposes. While these emails can be a nuisance, they are not considered malicious.

Survey Scams: A fraudulent online or email survey that asks for personal or financial information. Be cautious about the legitimacy of any unexpected survey, especially if you do not know the company or topic and it is asking for personal information.