The Information Security team have recently seen a significant spate of phishing emails targeting students, with the premise of providing part time work as a personal assistant to a professor.
The emails offered a very generous pay package for only a few hours work per week. All you had to do to get the ball rolling was reply to the sender and provide a huge amount of personal information.
In this article we explore the details of this scam, look at why it can be so dangerous, and provide tips on how to spot a suspect offer, as well as what to do if you have fallen victim.
What the emails said:
- The emails were impersonating a genuine external Professor, which was an attempt to lend credibility in case any recipients ran a search on the name. They claimed they were offering a position as a temporary personal assistant and implied that they had the approval of the University of Aberdeen.
- The emails stated the successful applicant would be tasked with making purchases and payments on the Professor’s behalf, and that “some of their personal letters and mails will be forwarded to your residence or nearby post office for you to pick up at your convenience”.
- The email requested the recipients reply and provide a large amount of personal information if interested.
What was the attacker’s goal?
This appears to be a two phased attack:
Phase 1: - Personal Information Collection
The first phase is to collect as much personal information as possible. Personal information is valuable to scammers for several reasons:
- It can be used to craft highly convincing scams against individuals later.
- It can be used to attempt to take loans/credit out in your name.
- It can be directly sold on the dark web for profit.
Phase 2: - Money Mule Recruitment
The statement that the applicant would be responsible for making payments/accepting packages suggests that this was an attempt to recruit money mules. Money mules are individuals who are recruited to launder money for criminal organisations, usually by receiving and transferring funds and making it difficult for law enforcement to track the proceeds of crime. Many money mules will not realise they are doing anything illegal, however they may still be prosecuted if caught.
Students are a highly targeted group for this type of activity.
What should I do if I have provided personal information:
If you believe you may have been in communication with a scammer, and have provided personal information you should take the following actions:
- Cease all contact immediately.
- Be highly vigilant for further phishing emails or calls from other sources.
- Consider researching and signing up for a reputable credit checking agency to ensure credit has not been taken out in your name.
- Report any related contact from new email addresses immediately.
Tips on avoiding this type of scam.
- Trust no one!
- If you receive an unsolicited email or phone call, always verify the source independently using official contact details. You can verify emails from the University by contacting Info Hub (infohub@abdn.ac.uk) or the Service Desk (servicedesk@abdn.ac.uk).
- Be particularly wary if the sender tries to create a sense of urgency, they may be trying to get you to panic and act quickly.
- If something seems too good to be true, it probably is.
Further information and Advice:
How to spot and report a phishing email:
https://www.abdn.ac.uk/staffnet/working-here/it-services/security.php#panel7228
Student Safety Guide for more information on Money Mules and other types of Scams:
https://www.abdn.ac.uk/students/documents/Student-Online-Safety-Guide-2023.pdf
Find more information on Money Mules on the National Crime Agency’s website:
https://www.nationalcrimeagency.gov.uk/moneymuling