As students may have noticed, there has been a multitude of scam emails in the past few weeks. Email scams are not new. Just a few years ago, this very newspaper covered the surge of COVID-19 cyber scams. To ensure students are aware and informed, NCC’s Information Technology Services (ITS) department have implemented new temporary protective measures. They are also planning the addition of a new security measure in November.
Dangerous spam emails
Mike Quintero, director of technology innovation at NCC’s ITS, explained spam emails as “unwanted and unsolicited bulk email.” All spam is not dangerous, but there can be some sent with bad intentions. There are actually two types of dangerous spam messages NCC students and accounts have been experiencing. These are “scam” and “phishing” emails. They usually appear to be coming from a source the receiver would view as legitimate or trustworthy. The difference between the two types is that “scam” emails involve tricking the reader to send money. While “phishing” involves misleading the reader into sharing important personal information such as passwords and Social Security numbers.
Reasons for high quantity spam emails
Quintero referenced a report by the Anti-Phishing Working Group (APWG), which stated that the second quarter of 2022 was the worst quarter for phishing that the group had ever reported. Over a million phishing attacks were recorded, with APWG noting that attacks were quadrupled that recorded in early 2020.
However, information acquired through phishing emails can prove valuable in creating more effective scam emails. If email addresses are part of the information received from phishing emails, these email addresses can then be used to send scam emails to email accounts on that same network. Since the scam emails appear to be coming from the same network as the receiver’s own email address, such as when a scam email shows a NCC sign-off, it is viewed as more credible. Readers are more likely to give their information.
An attacker will send a “phishing” email to trick people into sending them their usernames and passwords, and will then use those usernames and passwords to both send “scam” emails (to try to trick people into sending them money) and more “phishing” emails (to collect more usernames and passwords to continue the cycle). Every time someone provides their username and password to these attackers, that compromised network account is likely to be the launchpad for the next wave of attacks,” said Quintero.
ITS prevent and protect against scam emails
Microsoft had offered advice and guidance to ITS, which Quintero explained assisted in placing some temporary protective measures. ITS is also processing the integration of a new security measure as another level of protection for NCC network users. This new security measure is called “multi-factor authentication” or MFA. MFA is when users are required to use another factor during log-in to help verify their identity, which in NCC’s case this will be a mobile device. More information about this will be sent out to the general campus community soon, but Quintero announced that ITS plans to implement it early in November.
Protection against scam emails
“Students should be extremely skeptical about any messages they receive that are asking them to provide privileged information; username and password, but also address, phone number, Social Security number, etc., or any emails that involve sending money or gift cards, often in exchange for discounted goods at prices that are “too good to be true,” said Quintero.
As mentioned in the quote above, meet any request for personal, privileged information with skepticism. Knowing and trusting the individuals that seem to have sent the email doesn’t automatically validate the message. The use of emails from individuals people know and trust is, in Quintero’s own words “why so many scams are successful, people provide requested information, or fill out forms, sent from the accounts of people they know, so they automatically believe the message is safe.”
Quintero urged that if students are unsure of the validity of an email, please reach out and forward it to the ITS Help Desk. They can provide evaluation and validation of the message.
When contacted by victimized students, Quintero explained ITS typically redirects them to Campus Safety for assistance.
Additional feedback
Quintero discussed the steps students should take if they believe they might have fallen for a scam. These mostly consisted of changing your password as soon as possible and notifying ITS of the potential breach. Quintero explained that “the goal is to minimize the amount of time that an unauthorized party has access to your account.”
Quintero also emphasizes the benefits of listening to your intuition when you read these emails. If anything feels “off”, further evaluate the message and carefully consider it before continuing with anything it may ask. Unless an email has been suitably verified, do not respond, open a provided attachment, or click a link in the email.
Tips for spotting spam, phishing and scams
- Request your username/password or send you a link that requests this information
- Time-sensitive threats, your account will be disabled if you don’t act now
- Spelling and grammatical errors
- Impersonal/generic greetings such as “Dear Account Holder, Dear All”
- Unexpected attachments or links
- Messages about accounts you do not have (UPS, FedEx, eBay, PayPal, banks, credit cards)
- Messages that exploit human emotions (sympathy, kindness, fear)
- Inspect the email address from which the message was sent. Do not rely on the name that is displayed in the FROM field
Outside resources
For more information on how to recognize scams and phishing emails, the Federal Trade Commission has tips. To learn more about the prevalence of phishing scams, the APWG has Phishing Trends Activity Reports.
