Improving Technologies Make Impersonation Scams More Effective

Most of us have received phishing emails in our inbox and smishing messages on our phones impersonating people or companies we trust. According to the US Federal Trade Commission (FTC), consumers lost $1.1 billion to these types of social engineering scams in 2023. That is three times more than in 2020, with strong growth expected now that artificial intelligence (AI) technologies can be used to make phishing communications more convincing. 

We have often been able to spot these impersonations by noticing non-standard language in sentences, grammatical errors, or messages that don’t seem to apply to the situation. But as AI tools improve, scammers can use them to rapidly create very convincing messages that lack the tell-tale signs we’ve become accustomed to spotting. It is even possible to use so called deepfake tools to create convincing audio and video of someone speaking – using only short clips of the real person speaking.  

Here are other clues to help identify impersonation scams:  

  • Verify the source. Check the email address the email was sent from, and if a suspicious email comes in to your GatorMail email, double-check whether the message is flagged in red as [External Email]. On your phone, smishing messages often appear to come from an email address rather than a phone number. 
  • Check with the sender. Impersonation scams often want to give you the impression that the real person being impersonated is not available, which is why they need you to quickly take some action for them. But it doesn’t hurt to give the real person a call or send a message to verify, because if they answer, it was probably a scam! Do not hit ‘reply’ or ‘redial.’ Instead, look up the person in your contacts or find a reliable contact for companies independently (such as calling the phone number on the back of your credit card if you get a text purportedly coming for your bank) 
  • It’s a good idea to agree on a way to authenticate communications with people ahead of time, such as by creating a ‘code word’ that family members can use if they are really in trouble.  

If you find yourself the recipient of an impersonation scam, you should report the fraud to the FTC. This helps federal investigators stop scammers before they can reach more people. 

For more information on impersonation scams, visit https://security.ufl.edu/learn-security/.

Cybercrime Spikes at Start of Semester

Phishing emails, with malware and dangerous links embedded in them, increase at the start of each semester. Why? Cybercriminals know that new faculty, students, and staff do not yet understand what to expect from UF emails, and whether asking for GatorLink password information in an email is standard conduct. (It isn’t.)

In addition to phishing, social engineering includes deceitful activities like spear phishing, smishing, tailgating, and doxxing. Make time to review the Information Security Office’s
social engineering webpage and become familiar with techniques that cybercriminals use. To help the UF community better understand phishing, Dr. Amanda Phalin, Faculty Senate chair and senior lecturer in Warrington’s Management Department, recorded this video, which explains what it is and how it works.

In the past 12 months, UFIT’s security detection systems have caught 98.5% of phishing messages sent from outside the university. Still, some phishing emails do get through. That’s why being vigilant about what you click on is so important. The phish alert report button in GatorMail lets you report suspicious messages. If you receive an email you suspect is a phish, highlight the email and click on the phish alert report button. This action sends the potentially malicious email directly to the Information Security Office so staff can investigate. Emails from outside UF are marked with the [External Email] banner. Apply extra caution when you see this banner, especially if they purport to be from someone at UF.

Have a great semester and GO GATORS!

Enter Phishle Contest to Win Gift Card

The UF Information Security Office’s annual summer contest is open June 1 – 30, 2022. This year, all you have to do is play Phishle — UFIT’s information security take on the popular game “Worldle®” — to qualify for weekly gift card drawings.

Never played Phishle? Like Wordle®, Phishle is a word game. But Phishle focuses on players learning about social engineering terms such as phishing, smishing, vishing, and tailgating while solving the daily word puzzle. Phishle launched in Spring 2022 by Spencer Fasulo, a freshman computer science major who interns with the Information Security Office (ISO). Before entering the Phishle contest, check out the ISO’s great new social engineering webpage. You’ll learn what to watch out for and be better equipped to complete the daily Phishle game and win a gift card!

Phishle players get an entry for each 10 words they find. After achieving 10 correct words, fill out the form provided with your contact information. Two gift cards will be awarded each week, with winners announced on UFIT’s Twitter and Instagram accounts. Gift cards will need to be picked up in the 720 Building by local winners. Winners residing outside of Alachua County will receive their gift cards via US Mail.

Threat to Suspend Your Social Security Number is a SCAM

Con artists pretending to be with the Social Security Administration (SSA) are utilizing email, text messages, and phone calls to scare people into providing money and/or personal information. Remember: The SSA will never threaten, scare, or pressure you to take an immediate action.

It is a SCAM if someone…
● Warns of imminent arrest or legal action
● Requests payment by gift card, prepaid debit card, internet currency, or mailing cash
● Pressures you for personal information
● Requests secrecy
● Threatens to seize your bank account
● Promises to increase your Social Security benefit
● Says they have evidence against you, or uses the name of a real SSA official

How to protect yourself from Social Security-related scams:
1. Stay calm. Do not provide money or personal information when you feel pressured, threatened, or scared.
2. Hang up on the caller or ignore the text or email.
3. Report Social Security-related scams. If you receive a suspicious call, text, or email that mentions Social Security, report it to the SSA Office of the Inspector General (OIG). Do not be embarrassed if you shared personal information or suffered a financial loss.

UF’s Information Security Office has an Identity Thefts and Scams webpage where you can learn more about the techniques used by cyber criminals.