During the past several months, the Information Security Office has been working diligently in order to investigate and continuously defend UCR against a Business Email Compromise (BEC) attack campaign that primarily targeted UCR employees. However, it appears the BEC attacks have very recently taken a new form and are now targeting UCR students.
A BEC attack is a type of email scam in which the attacker will impersonate the identity of an employee or faculty member. Using social engineering tactics, the attacker will try to trick their targeted victims into sending money or sensitive information through email. For example, these fraudulent emails may ask to send gift card codes, bank account numbers, social security numbers, addresses, birthdays, research data, etc.
In this recent campaign that is targeting students, the attackers will impersonate UCR faculty and lecturers. Using Gmail accounts, they will then email students in order to persuade them into sending gift card codes.
Within the past year, the Information Technology Solutions office has published a separate article in regards to the BEC attacks that were previously targeting UCR staff and faculty. You can visit the ITS blog post article here: https://its.ucr.edu/blog/2019/05/21/watch-out-business-email-compromise-scams
As a reminder, here are some tips to prevent yourself from falling victim to BEC attacks:
- Locate the “From” field of the email and double-check that the email address of the sender matches exactly with the address of a trusted UCR faculty member. Most UCR related email addresses will end with @ucr.edu.
- Validate any requests for monetary funds or protected by taking additional actions such as calling the person on their UCR office phone number or physically visiting the person’s office or department office to verify the legitimacy of the email.
- Never send sensitive information over email. (i.e credit card numbers, routing numbers, social security numbers, etc.)
- Any requests to send photos of the backs of gift cards should immediately raise a red flag and you should double-check the validity of the email through another secure channel
In general, ITS advises all UCR faculty to be wary of any suspicious emails and to always think twice before responding to any email. Please report any suspicious emails to abuse@ucr.edu.
If you are a victim of a BEC attack and lost money or sent personal information to the attacker, you should file a report with the UCPD. In the event you sent personal identifiable information, it is a common practice to put a Credit Lock on your credit reports with three major credit bureaus (Equifax, Experian, and Transunion) to mitigate identity theft.
ITS would like to thank you for your deliberate efforts in keeping the campus secure.