Scammer impersonates UMSI privacy expert; Florian Schaub shares tips for spotting fake email
Last week and again over the weekend, it looked like assistant professor Florian Schaub emailed some University of Michigan students, soliciting part-time student workers for $300/week. If interested in the job, students were directed to send personal information to an email address or phone number.
The problem? Schaub didn’t send that email. The noted privacy expert was being impersonated by scammers.
“I got alerted to this because a student forwarded me the screenshot and was like, ‘Hey, I got this message. Is this for real?’ Unfortunately, it's not,” said Schaub. He immediately reported the email to Michigan Information and Technology Services and wrote a Tweet thread to alert students.
Even if the scammers hadn’t gotten his name and title wrong, Schaub says the email had a few other clues that were obvious red flags.
For one, the email address didn’t match his university address, or even a U-M account.
In addition, Schaub notes that a faculty member would never ask for your information before sending a job description. Scammers often will ask for your information to be sent electronically. They will use these personal details to craft a profile of who you are, and use that information to string you along in a conversation.
“Once you're in the conversation, they're going to try to have you do something that's to their advantage,” Schaub says. For example, they may ask you to send them gift cards so they can purchase a laptop or equipment for a research position. “I'm sure they're promising that the student will get reimbursed or something along those lines,” says Schaub.
“A faculty member would never ask a student to pay for something that is required for research in advance of actually having been accepted and appointed to the position, let alone pay for gift cards,” he says. “That's just not how things work.”
In these phishing emails or texts, scammers often use a panicked tone. “For these texts to work, these scammers suggest urgency,” says Schaub, adding that they use phrasing like you need to purchase this right now or we need to do this quickly. “The whole goal is to stop you from thinking about what you’re doing and whether what you’re doing is actually meaningful.”
Schaub says that whenever someone is trying to rush you, it’s a good time to pause and really look at the email. Does the sender’s email address look suspicious or not match the person, institution, or company they claim to be from? Are they asking for personal information that you wouldn’t normally share over email or text? Do they use the right title? Do you just have a nagging feeling that something seems wrong? These can all be indications that something is amiss.
Double check anything that seems suspicious, he says. “In this particular case, because the email is supposed to be coming from the university, a good approach is to just go to M-Community and search my name, title, find my actual email address, send me an email, and make sure that that's really me.”
Is there anything you can do to keep scammers from impersonating you? Unfortunately, no, says Schaub. “When I became aware of this scam, I tweeted about it so that people were aware that this was not coming from me,” he said, adding that he reported the email to the U-M’s IT Services Safe Computing group at [email protected].
“I think it's important to just be aware that scams like this and phishing attacks are on the rise, and they're getting more sophisticated,” says Schaub. He adds that there has been a big shift to these more individualized scams, where a scammer will impersonate someone you know, a popular company, or they will use language that is familiar to you.
After two years of pandemic communications, where emails and texts seemed ubiquitous, it can be difficult to distinguish between what is genuine communication and what’s fake, says Schaub. Companies or medical offices that use a secondary company to communicate can muddy the water, making it difficult to sort out who is sending you a request. “It becomes harder and harder to check that the message is genuine, that it's authentic.”
When in doubt, he suggests you take a moment to comb through the email, do some sleuthing on who is contacting you and what they’re asking for, and check in with the person or company in a separate email or phone call to see if the communication is really from them.
"You just gotta be really careful to make sure you're not getting sucked in,” he says.
Schaub adds that if anyone has fallen for the fraudulent email and possibly paid money to the scammers, they should report it to the Division of Public Safety and Security.
— Sarah Derouin, UMSI public relations specialist
Learn more about assistant professor Florian Schaub.
Learn more about how to spot and avoid online scams, phishing emails and identity theft.
Report any phishing attempts or harassing emails at University of Michigan Information and Technology Services, Safe Computing.