Online scammers and attackers continue to target University of Maryland faculty, staff, and students. To make it easier to recognize the threats, DIT Security Operations Center would like to share the most common email scams we are currently seeing. This article will be periodically updated as tactics and trends change.
Regardless of the exact scheme used, scams and phishing emails will almost always have one or more of the following indicators:
To keep you and your account safe, remember the following guidelines:
These messages may appear to come from various senders. They may claim to be from a unit such as “Human Resources”, or they may be from an unknown third party. Some messages may ask for you to review and sign a document, and others may claim you have a fax waiting. Regardless of the sender or the message, they will all request that you scan a QR code as part of the message.
While QR codes themselves are not inherently malicious, attackers are using them as another way to get you to visit their website which may attempt to steal your information. It is easier for them to hide their malicious URL behind a QR code that you have to scan. Furthermore, by requiring you to use your personal phone to scan the QR code, this takes the activity outside of UMD where you may be less protected.
If you are not expecting an email from this person, or if the nature of the message is not familiar, do not scan the QR code. This is especially true for any message that requires immediate action, claims there is an issue with your account, or payroll changes that you were not previously aware of.
If you see messages like this please forward them to spam@umd.edu and/or delete them.
These messages may appear to come from a legitimate University of Maryland email account. The message will claim that your account is at risk of suspension or deactivation due to retirement, graduation, or transfer. In order to confirm that your account should remain active, you are directed to click on a link to a Google form. This Google form will ask you for your username, passphrase, and a Duo MFA code.
By filling out this form, your account will be compromised and likely used to send additional phishing messages which may further target the University of Maryland population.
Regardless of the type of message and who may have sent it, ANY email using a Google Form to ask you for your username, passphrase, and a Duo MFA code is a phishing message. Every Google Form contains the following message at the bottom: "Never submit passwords through Google Forms"
If you see messages like this please forward them to spam@umd.edu and/or delete them.
These messages may appear to come from a legitimate University of Maryland email account. The message will claim that you are being offered a job that can be done virtually, at home, or remote, with a weekly salary amount included. To apply, you may be asked to click link to that leads to a Google form. There may also be an external, non-UMD email address as the address to apply/contact for more information.
The intent is to extort money from you during the application process by way of a fraudulent check.
Any offer of a job which you did not directly apply for should raise immediate suspicion, even if it appears to come from a legitimate University of Maryland email account. Email accounts can be compromised and used to send these messages in order to seem more legitimate. If someone asks you to contact them via non-UMD email addresses, it is likely a scam. Additionally, any offer that could be considered "too good to be true" is likely just that.
Unfortunately, scammers use college students as easy targets. More information on these scams can be found on the Federal Trade Commission’s website: https://consumer.ftc.gov/consumer-alerts/2024/04/college-students-are-targeted-jobs-scams-too-0
If you see messages like this please forward them to spam@umd.edu and/or delete them.
These messages may appear to come from someone you recognize at the university, or an outside account. It will look like a standard Google Drive or Sharepoint message and may state that someone you know wants to share a file with you. There is likely a discrepancy between the name of the person sending the email, and the name of the person sharing the file in the body of the email. If you click the link in the email, it leads to a file with a Microsoft OneDrive or Google Drive image with another link to asking you to click and view the file. If you click that link it will take you to a website form such as Google Forms or Jotfom asking for your email address and password. Entering your credentials on this form will lead to a compromise of your account.
If you see messages like this please forward them to spam@umd.edu and/or delete them.
While technically not spam or phishing, there has been a huge increase in the number of emails from outside companies who want to help you with your retirement, pension, or financial matters. These emails may have not only your name but your title and department, and express that it's "time to meet about your options". Some of them will have a line in small print that states they are not endorsed or affiliated with the university, which is true.
These companies obtain information from the university's public directory and use an aggressive and creative marketing technique. The language used in their emails is written in a way to make the recipient think it is a legitimate service provided by the university. However, these companies are hard to identify and verify and their services may not have your best interest in mind. We do not recommend setting up an appointment with them.
Any legitimate email regarding retirement or pension information will be sent directly by UHR and/or the State of Maryland.
These email scams appear to come from someone you know at the university, such as a supervisor or colleague. Many of them start with an innocent question such as "Are you available?" The intent of these is to get you to respond to them. Eventually they will ask you to purchase gift cards with the promise that you will be reimbursed.
These emails did not originate from someone at the university and if you reply to them, you will see they are going to an external email address and not @umd.edu.
If you receive an email from a colleague and you are not sure if they really sent it, always verify by contacting the person directly at their campus phone number.
These scam emails mention the sender's desire to give away, donate, or otherwise gift a high-end piano or tools for free. They may reference the name of an actual UMD employee in order to appear legitimate. They may ask you to contact this person at a non-university email address and ask you to use your personal email address when corresponding.
The intent of this scam is to eventually get you to pay some kind of fee in order to move the item. They may also steal your university credentials by asking you to log in to a bogus site.
Always be suspicious of any email that asks you to use a non-university email address to respond - this allows scammers to hide from the organization they are targeting. Additionally, any offer that could be considered "too good to be true" is likely just that.
If you receive an email from a colleague and you are not sure if they really sent it, always verify by contacting the person directly at their their campus phone number.
These emails will arrive in your inbox and may appear to have been sent from your own email account. The scammers may claim to know your passphrase and have evidence of you engaging in activity on adult websites. Often this evidence is a video of you, allegedly captured using your webcam or by malware. The scammers threaten to release this video to your contacts unless you pay them in Bitcoin. They may also include other personal information about you, including a photo of your house from Google Maps. The sender is usually from a random external address who is "spoofing" your email address.
The intent of these emails is to elicit an emotional response of panic and fear, which means it's more likely that someone will pay up to keep things quiet. These scams are extremely prevalent due to their success, with increasingly threatening language as new variants of this scam are seen.
Rest assured that your email account and computer have not been compromised in such a manner and you can safely delete the email.
These emails appear to show a paid invoice for a service you may not recall purchasing. They usually have a high amount and are meant to get you to question why and how you are being charged for this. Calling the provided customer support number will lead to a conversation about an easy refund process in which customer support will eventually ask you for credit card or banking details in order to properly get your money back.
The point of this scam is to get you to divulge your financial information. If you are not sure if an invoice you received is real, never call the provided phone number in the email. Always look up the company's customer support information on their official web site and call that number instead.
Usually targeting payroll and HR representatives, these emails will appear to come from someone at the university stating that their banking information has changed and they would like to update their direct deposit information. These emails are almost always "spoofed", meaning that the scammer has forged the sending address to appear legitimate. If you reply to this email you would notice it is not going to a @umd.edu email address.
These scams should always raise red flags as the university has a process on making direct deposit changes that involve an original signature on a paper form. Changes should never be processed based on information provided in an email alone. If you have any questions on the legitimacy of such emails, always verify by contacting the person directly at their @umd.edu email address or their campus phone number.