Fourth-year sociology major Sarah Padilla fell victim to a phishing scam in late February when thousands of UC Santa Barbara students received an email from her U-Mail address with a job offer: $300 a week for dog-sitting.
“I got an email from what looked like the school, and it directed me to a link,” Padilla said. “Of course I was going to open it because I’m always on the lookout for emails from professors or anything campus-related.”
A few days after clicking the link, Padilla received at least 3,000 emails and 40 Facebook messages regarding the false job offer, most of them from people asking for more information and even sending full resumes.
Like Padilla, many UCSB students can suffer from these scams when they mistake faulty emails for official university announcements.
Phishing is a form of social engineering that takes place through email with the ultimate goal of acquiring someone’s personal information, according to Sam Horowitz, UCSB’s chief security information officer.
Despite posting a warning on UCSB’s “Free & For Sale” page on Facebook and having UCSB’s Student Information Systems and Technology help reset her U-Mail information, Padilla says she still occasionally gets spam and emails relating to the scam.
“I wasn’t satisfied with the help desk. They reset my U-Mail, and I tried to show them that I was still getting spam, but it seemed like they didn’t believe me. They were helpful in resetting but even then I’m still wondering how our security is so compromised,” she said.
Horowitz explained that there is little the help desk can do when someone falls victim to a phishing attack.
“If you respond to a phishy message, they’re going to send you more messages because they know you respond. The help desk can’t fully prevent when the student declared themselves to be a soft target,” he said.
Horowitz said that there is no clear answer as to how scammers obtained U-Mail information since some technology is untraceable and there are limitations to detecting online activity.
He said, however, that possibilities could include leaks through students’ distribution mailing lists or computer malware.
“The best way to tell if an email is a phishing scam is that if it expresses any sort of urgency or threat,” Horowitz said. “If it’s too good to be true, or if it’s really urgent and threatens, be circumspect about it. Have a skeptical mind to recognize when you’re being fooled. Students need to look out all the time.”
Shea Lovan, associate director of UCSB’s Enterprise Technology Services, said that while he does not have phishing-specific statistics, “Office 365 blocks an average of 2.7 million pieces of spam and just under 5,000 pieces of malware destined for U-Mail accounts every month.”
Phone call scams claiming ransom have also been targeting students and citizens throughout Santa Barbara County.
Large reports of phone calls involving IRS impersonators and virtual kidnapping instances are on the rise, according to a press release from the Santa Barbara County Sheriff’s Office (SBSO).
Virtual kidnapping scams involve contacting a family member and claiming to have kidnapped someone close to them before demanding ransom payment.
“The best way to combat these calls is to educate the public,” SBSO spokesperson Kelly Hoover said.
“Anytime we send information out about these phone scams, it appears that it scares off the scammers for a time before they flare back up again,” she added.
To avoid falling victim for phone scams, Hoover advises to simply hang up the phone.
“If anybody calls you claiming to be from any agency and asks you for financial information or mentions that you owe something, just hang up and call the agency to make sure that this person is legitimate,” she said.
If students have been victims of phishing, they should visit security.ucsb.edu to report the issue.
A version of this story appeared on pg. 3 of the April 12, 2018 issue of the Daily Nexus.