
Phishing is a type of cyberattack where a criminal tries to trick someone into giving up personal information such as passwords, credit card info, social security numbers and other sensitive information by pretending to be a trusted individual. It usually happens through email, but can also happen through text messages, fake websites, gaming chats, or social media apps. These are just some of the common scams and their monetary loss according to the FBI’s 2023 Internet Crime Report (ICR).
Crime Type | Reported Monetary Loss |
Advanced Fee: An individual pays money upfront to receive something of greater value and does not get what is expected or nothing. | $134.5 Million |
Business Email Compromise (BEC): Criminals target businesses or individuals with the intention of authorizing fraudulent transactions or stealing sensitive information. | $2.95 Billion |
Confidence Fraud/Romance: The scammer grooms the victim to believe they are in a serious relationship with the purpose of extracting money from the victim. | $652.5 Million |
Credit Card/Check Fraud: Broad term for any theft or fraud with credit cards or online payments. | $173.6 Million |
Phishing/Spoofing: Attackers send unsolicited emails, text messages, and phone calls to manipulate the victim into giving them access to sensitive information. | $18.7 Million |
Tech Support: The scammer poses as tech support or customer service, most likely with the intent for financial gain. | $924.5 Million |
Lottery/Sweepstakes/Inheritance: The victim is contacted about being entitled to a large sum of cash, but the victim has to pay upfront fees. No prize or inheritance is ever received. | $94.5 Million |
Case Study: United States of America v. Olusegun Samson Adejorin
This case involved a Nigerian national by the name of Olusegun Samson Adejorin. Adejorin ultimately faced federal charges in relation to a $7.5 million scheme to defraud two charitable organizations located in Maryland and New York.
Adejorin used credential harvesting, phishing, and domain spoofing to carry out the scheme. Credential harvesting happens when an attacker gathers information such as usernames, passwords, and other user identifiers. Email domain spoofing is where the attacker sends an email that pretends to come from a trusted source such as a specific company or person. Spoofed email addresses can closely resemble trusted ones, often differing by just a single letter or character. This same concept is used for website domain spoofing. The attacker clones a website, publishing it at a website address that is slightly different from the legitimate site.
Between June 2020 and August 2020, Adejorin used multiple Gmail addresses to gain access to employees’ email accounts at Company 1. He was successful in doing so and sent emails through a compromised employee’s account to make withdrawal requests. He sent emails from Company 1 to Company 2 about withdrawal requests. During that time he had compromised an employee’s account at Company 2 to make his communications appear legitimate. He concealed these fraudulent communications in the user’s inbox by moving them to a different location in the victim’s mailboxes. Adejorin created spoofed website domains that were misspellings of both of the company’s domains. Since withdrawals over $10,000 needed to be approved by Company 1, Adejorin was able to use the compromised email accounts at both companies for approval. This resulted in $7.5 million being sent from Company 2 to the criminals’ bank accounts in Hong Kong.
Takeaways:
- Stay Alert: Always double-check email addresses and links, especially if they involve money or sensitive info. Look for small changes in domain names.
- Sender address: Verify that the sender’s email address matches the expected domain. Even if the name looks familiar, hover over the sender’s email to see the full address. Be cautious of slight misspellings that could indicate a fraudulent email
- Links: Hover over links before clicking to preview the URL. Avoid clicking on links in unsolicited or suspicious emails. They may lead to phishing sites designed to steal your credentials.
- Attachments: Only open attachments from trusted sources. Verify with the sender if you weren’t expecting the attachment. Malicious attachments can carry viruses or malware, which can compromise your system.
- Urgency: Be wary of emails that create a false sense of immediacy. Scammers use these tactics to rush you into making mistakes. Take your time to verify requests and consult with IT if you’re unsure.
- Report Suspicious Activity: If it is a phishing email, report it. IT Security will investigate and take the appropriate actions. It also helps Google with their scam detection to prevent future incidents.
For more information, check out these resources:
National Cybersecurity Alliance – Recognize and report phishing
FinCEN – Email Compromise Fraud Schemes Advisory
Phishing Simulations
The College is committed to performing four phishing simulations annually, two in the spring and two in the fall. We will perform both fall phishing simulations during October. All employees will be “phished,” and for the first time, students will be phished, too. Look for suspicious messages delivered to your inbox and report them like any genuine phishing message. Feel free to work with your colleagues and classmates–this is what we want you to do with real malicious emails.
Save the Date for the Virtual Town Hall
A regular feature of Cybersecurity Awareness Month is a town hall meeting with Kendall George, Carleton, and St. Olaf Colleges’ information security officer. In this informational and interactive session, he’ll describe the current state of the higher education cyberthreat and the steps you can take to keep the campus and your digital life secure. There will be ample time for Q&A.
Save the Date: Noon, Wednesday, October 30, 2023.
Cybersecurity Training
Annual cybersecurity training for employees is due by October 31. To encourage everyone to get this done by the end of the month, employees who complete this training by the deadline will be entered into a drawing for two Bon Appetit meal vouchers. Feel free to work as a team and, in other ways, encourage your colleagues to meet this important annual requirement. The course covers a variety of current cybersecurity issues. It doesn’t take a lot of time. Plan for no more than 30 minutes to complete the course.
Cybersecurity is everyone’s job. Be safe out there, and if you have any questions, don’t hesitate to contact us or the Help Desk.