Be Secure: Scam awareness on Twitter and at Miami

Jul 28, 2022

As we get closer to the start of the school year, online scams are ramping up. The Information Security Office would like to remind folks to stay vigilant when online.

We have a couple of general guidelines (and a couple specific ones!) to share about staying safe online and making sure the person you’re talking to is actually who they say they are.

Let’s dive in!

General warning for Twitter users

Anyone claiming to be a figure of authority – such as a member of Miami’s senior leadership – and trying to get you to buy an NFT is probably, in fact, not the person they claim to be.

Earlier this week, Twitter users were appalled to learn that a malicious actor had gathered a database of more than 5.4 million Twitter credentials by exploiting a vulnerability in the back end of the popular social media site. This vulnerability allowed the scammer to gather emails and phone numbers of users – which are now publicly available (and for sale on the dark web).

This is a good reminder to be extra careful when receiving emails or messages from Twitter or anyone on the platform, especially if the sender asks you to enter login credentials. You will only ever be asked to give your credentials to Twitter on the login page – never in an email, and never over the phone.

And you especially want to make sure you’re vetting messages you get on the platform itself – anyone claiming to be a figure of authority – such as a member of Miami’s senior leadership – and trying to get you to buy an NFT is probably, in fact, not the person they claim to be.

Scam alert: Miami “professor” looking for student “employees”

This next warning comes a little closer to home. The ISO has received a notice about a fraudulent email message that appears to offer employment for students. We get these kinds of scams frequently, but this one has caught several folks so far.

The issue is that the email looks like it is coming from a legitimate “@miamioh.edu” email, because the scammer has spoofed the “from” address. Here is an example of the email going around:

Currently, Miami University, The Department of Computer Science is seeking for student research assistants to work remotely and receive a weekly salary of $365. Students can participate in the research from any department of the institution, and tasks can be performed remotely. For more information and to obtain the job description, you will need to contact Professor John Femiani by text message (609) 300-7936

Kind regards.

C/O Professor Professor John Femiani

Title: Professor of Computer Science, Department of Computer Science,

Department of Computer Science,

Miami University.

The gist of the scam is that a “Miami professor” (the scammer) is looking for someone to do a few tasks for them, under the guise of helping out with research about personal protective equipment (PPE). The scammer sends a list of “tasks” that the student employee is expected to do, one of which is to buy a gift card, which will supposedly be used toward more activities in the research process. The scammer says that “reimbursement will be included in your first paycheck” for the gift card.

The key here: If someone asks you to buy a gift card (for which they will “reimburse” you), do not do it. Once money is spent on a gift card, it is impossible to recoup.

If you receive this email, please do not respond or click on any links within; just delete the message. This is common phishing practice to try to get recipients to click on fraudulent links and unknowingly download malicious programs to your machine, or steal personal data.

Stay vigilant: Quick tips

The main thing to take away from all of these examples: If someone you are unfamiliar with sends you a message wherein they ask you to purchase gift cards or input login credentials for certain services, and you can’t verify their identity, the safest response is to simply delete the message.

Some quick tips for verifying someone’s identity:

Rather than using links in a questionable or unexpected message from a business or service you normally use, reach out to the business or service in the way you typically access it. Weird message from Amazon? Don’t click the link, just pull up amazon.com in a new tab.

Strange message from a supervisor or coworker? Don’t reply to the message directly. Call, email, or walk to the person as you typically interact and verify the message’s authenticity.

Unsolicited advertisements or spam? Just delete and ignore – you’re capable of identifying what you want without ads or spam.

Job offering? Too good to be true? Just delete and ignore. Can you think of anyone that acquired a good job from an out-of-the-blue email message or phone call?

If you receive a message that you suspect to be a phishing message, please forward the message to InfoSec@MiamiOH.edu. This allows the information security team to block sites that may be associated with phishing attacks. If you ever feel you may have responded to a fraudulent message or clicked a link in one, please contact IT Help immediately at 513-529-7900.

The key here: If someone asks you to buy a gift card (for which they will “reimburse” you), do not do it. Once money is spent on a gift card, it is impossible to recoup.