Phishing for your money: How PBA fights email scammers
For many college students, receiving an email saying they could make $400 a week would be intriguing because many understand what it’s like to manage the costly expenses of tuition, rent, books and other basic college necessities.
Angelique Jager, a Palm Beach Atlantic University (PBA) sophomore, is one of those students who was looking for work when she saw an email advertising a part-time assistant position.
The email, sent under the name Emily Rodriguez, appeared to be from a fellow PBA student because the sender had a PBA email. The sender wrote that a "Dr. Paul Shawn", an out-of-state employer, was looking to hire a remote personal assistant. If a student expressed interest in the position, they were then prompted to contact Shawn through an email not linked to the PBA server.
“He was giving $400 a week, which as a college student you know I could use that of course, so I took it up as a great opportunity,” Jager said.
Shawn informed students in a private email that they would work a few days a week for a total of six-to-eight hours. The hired applicant would be responsible for tasks such as collecting commissions, booking appointments, handling financial activities and running errands.
“I had emailed him back and forth very quickly in hopes that I would get this position,” Jager said. “About two or three days later, he emailed me saying that he chose me.”
Shawn first instructed Jager to deposit a $3,350 check. He stated that once she deposited the check into her bank account, she could keep $400 for herself and use the remaining $2,950 to pay off Shawn’s debt at a bookstore.
“I got the check literally a day after he sent me that email, so I thought it was very weird,” Jager said.
Jager noticed that the check was not signed by Shawn but by someone named Katie. The check address was from a meat market in California.
“I thought this could be a fake check, but I decided to just bring it to the bank,” Jager said.
Jager sent an email back confirming that she received the check and asked for the address to the bookstore. Shawn told her he would give her the information after she deposited the check.
The bank later informed Jager that they could not cash the check, but they did not say why. They suggested she reach out to the person who gave it to her.
“I emailed Dr. Paul Shawn that there was a problem with the check, but I received no response,” Jager said. “Never contacted me, never got back to me. It was really weird. I waited another day thinking he was busy but still no response.”
She then reached out to Rodriguez, but she still didn’t receive a reply. Not sure where to turn, Jager reached out to one of her professors who, after hearing all the details, determined this was most likely a scam.
“I had a feeling this was weird, but yet I could only imagine how many other students this happened to as well,” Jager said.
PBA has its own Campus Information Services (CIS) department that serves as the university's Information Technology team. They handle several areas on campus such as network, database, computer and media services. CIS monitors the university’s email server.
It was only after reaching out to CIS that the email sent by Rodriguez was taken down. A follow-up email was then sent out to students warning them of the scam and providing them with tips on how to avoid these types of messages.
While this incident of phishing was acknowledged and removed, Jager was left unsatisfied by how the school handled the issue.
“I personally feel it was overlooked, and [CIS] didn’t do enough about it,” Jager said. “They say these things happen, and we just need to be warned and keep an eye out when really this shouldn’t be happening to us students, especially from a PBA email.”
Jason Thomas has been the director of CIS for the past four years and has seen firsthand the development of cyber scams.
“Email tends to be the number one vector for any type of malicious software entering our campus network,” Thomas said. “And unfortunately it’s also a very effective tool for cybercriminals and bad actors to implement social engineering and phishing.”
PBA’s email server employs a portfolio of security tools used to scan every message that comes through against a verified blacklist. If an email has been flagged by other providers as spam, then it’s automatically blocked from the system.
CIS also doesn’t allow any emails that contain attachments such as zip folders that can’t be unzipped and scanned for viruses. The sole purpose of its targeted attack prevention system is to flag any messages believed to contain any form of malicious intent that can cause damage to either the network or its users.
However, the system isn’t foolproof, and because of this, scam emails are bound to slip past the CIS team’s eyes from time-to-time.
“Because of the volume of emails, we’re talking an order of millions of messages per month, they send a considerable number of emails our way,” Thomas said. “Where we do get into trouble sometimes with our users is with phishing emails.”
In order to combat against phishing emails that get through to the network, CIS implemented a flagging system a few years ago that notifies users when an email has originated from outside the PBA network. A banner will pop up and advise students not to click on any links.
PBA’s CIS team also has its own system for anyone from the campus community trying to send an email to everyone on campus. They have to send it into the system, and CIS moderators review and approve it before it’s sent.
In the case of the Rodriguez email, the fraudulent advertisement originated from a PBA account and didn’t contain any outside links that would flag the system.
“If a user falls for a phishing email and inadvertently puts their password in and submits them into a phishing expedition that can become very problematic,” Thomas said. “Because then you are giving a malicious actor access to your email and password in which they can send out emails on your behalf without you realizing.”
Once CIS is notified of an email being a scam, the team takes extensive measures to remove and block the email.
“We’ll identify the address and add it to our email blacklist so that the individual will not be able to send emails to our campus period anymore,” Thomas said. “In addition, the sender IP address is blocked so that the person doesn’t have the opportunity to hit our network again.”
The CIS staff sends out weekly emails for October’s Cybersecurity Awareness Month, advising students to watch out for scammers by using different passwords for all your accounts, avoiding emails that ask for your password information and double-checking the sender address.
“The key underlying thing for PBA students is if you think something is too good to be true, or it looks suspicious, follow up on it. Don’t just blindly proceed,” Thomas said.
By Morgan Therrien