Impersonation Scams: How IT Leaders Can Protect Campus Communities

Impersonation scams involve someone pretending to be someone they’re not to deceive victims into giving away personal information or money. These scams might include the scammer posing as a trusted individual like a family member, friend, employer, or authority figure. They try to exploit the victim’s trust and manipulate them into taking actions they otherwise wouldn’t. These scams are designed to catch victims off guard, create an emotional dilemma, and force them to react quickly.

Impersonation scams are targeting campus community members–students, faculty, and staff–in different ways. Red flags include asking victims to pay or send money in ways that make it hard to get the money back. Internal alarm bells should be ringing if someone asks you to:

• Wire money
• Send cryptocurrency
• Buy gift cards and give them the card numbers and PINs
• Hand cash over to a courier who will come to your house

The best way to stay ahead of these scams is to keep yourself and others informed and to develop plans for how best to react when you find yourself confronted with a situation that doesn’t feel right. Higher education IT leaders can also encourage preventative behavior to keep their campus communities safe.

Here we’ll explore two prevalent scams impacting campuses today: how they work, who they target, and some tactics victims can take to protect themselves and their loved ones.

Deepfakes

Innovations in artificial intelligence (AI) technology have exacerbated the threat of impersonation scams for all of us. It is more important than ever to stay informed and vigilant. Deepfakes–digitally altered videos that falsely depict a person saying or doing something–are the latest technological advancement enabling these types of scams, which have extracted millions of dollars from victims.

Deepfakes use AI technology to create a seemingly real video or audio clip that mimics a person’s face, voice, or both. Deepfake technology has advanced to the point where scammers can use it in real time to replicate someone’s voice, image, and/or movements during a live phone call or virtual meeting. The technology is also widely available and relatively easy to use with minimal technical knowledge or resources. A single photo and three to four seconds of voice audio is all that’s needed to create a digital facsimile of the real person.

Yisroel Mirsky, an AI researcher and deepfake expert at Ben-Gurion University of the Negev remarks:

“It’s easy to imagine an attacker looking on Facebook to identify a potential target’s children, calling the son to record enough audio to clone his voice, then using a deepfake of the son to beg the target for money to get out of a jam of some kind.

The technology is becoming so efficient […] you can clone a face or a voice with a basic gaming computer. And the software is ‘really point and click […] easily available online and configurable with some basic programming.”

The ease of creating real-time deepfakes has increased the likelihood of everyday people being targeted as part of deepfake scams, though the “loved one in trouble” tactic scammers often employ isn’t new. The FBI’s Internet Crime Complaint Center (IC3) has recorded instances of what it calls “The Grandparent Scam” since about 2008. These scams involve impersonating someone’s grandchild, claiming to be in a situation they cannot solve on their own and are afraid to tell their parents, and are in need of money to get out of the situation. And with deepfake technology, the scammer may convincingly sound like (or, in a virtual meeting, look like) a person familiar to the victim.

(It should be noted that characterizing this kind of scam as only targeting grandparents is both ageist and misleading. Military families have also been victimized: the scammer will claim that a problem came up during military leave that requires money to address. Alternatively, the caller may claim to be a friend or some other family member in an emergency needing immediate assistance. Anyone with close relations and a savings account could be targeted by this scam including your institution’s faculty and staff members.)

How to prevent this scam

Anyone receiving a phone call from a loved one asking for immediate financial assistance should resist the pressure to act quickly. Don’t trust the voice alone.

Investigative reporter, Brian Krebs of KrebsOnSecurity.com, and the Federal Trade Commision (FTC) both suggest calling the person who supposedly contacted you to verify their story. If you can’t reach your contact, try to get in touch with them through a third party.

Job Scams

Higher education information security practitioners have reported seeing a new scam targeting their student population. Students are being targeted by these scams as they are a demographic typically newly independent and immersed in a culture where they are expected to manage multiple competing demands of their time and focus constantly, so may not be as skeptical about an opportunity that suddenly appears. The scammer begins by contacting the student from an email address that looks like it is from a college administrative office or professor offering part-time student employment. The honor of being singled out for an employment opportunity can be compelling enough that the student fails to notice the red flags.

The contact next prompts the student to divulge their personal email address (i.e., not their school email address) and personal mobile phone number in order to finalize the work agreement. The reason for this is actually to move the communications with the student “out-of-band,” effectively evading the institution’s email filters and other technical controls that protect campus communications from phishing scams and malware attacks.

The final critical step often involves mailing the student a check to deposit and requesting the student send some of the check money to another account. The check is usually not good (sometimes the first check is good to gain the student’s trust, but the second check is not), and will eventually bounce, but the student will have already sent money to the scammer. The student may end up losing a few thousand dollars, which for some students could put their housing and book budgets for the semester in real jeopardy.

How to prevent this scam

Students should know that if a job opportunity falls into their lap and seems too good to be true, it may just well be. They shouldn’t just reply to the email address the sender used. Instead, they should use a phone number or email address they know is legitimate through the institution’s staff directory. Students should ask to receive the job duties, pay, and hours in writing. A scammer may refuse to provide these things.

Takeaways for Security Leaders

Campus IT and security leaders should ensure that students, faculty, and staff are familiar with best practices for avoiding these scams. They should be introducing students to these threats early in their college careers so they know what to look for and how to avoid being victimized. Leaders can help students develop situational awareness and a healthy skepticism of content they receive online. However, with real-time deepfakes now a part of the scammer arsenal, even a well-prepared individual can have trouble discerning reality from a convincing fabrication.

As impersonation scams continue to blur the line between reality and deception, staying informed and cautious is crucial to protecting yourself and your loved ones from potential scams. This Cybersecurity Awareness Month, let’s all take the necessary steps to safeguard ourselves and those we care about.

If you spot a scam, report it to the FTC.

Finally, while the financial loss from one of these scams may not typically meet the FBI’s financial threshold for opening an investigation, you should contact your local authorities or state consumer protection agency if you think you’ve been victimized. The FBI also suggests filing a complaint with IC3, which not only forwards complaints to the appropriate agencies, but also collates and analyzes the data  for common threads that link complaints to identify the culprits.

Every October, Cybersecurity Awareness Month reminds us how important it is to stay safe online. Launched by the U.S. Department of Homeland Security and the National Cybersecurity Alliance, the initiative has grown to educate everyone—from students to business leaders to other organizations—on protecting themselves from cyber threats. The theme this year, “Secure Our World,” focuses on simple steps to secure your digital life. Whether it’s creating strong passwords, being careful about what you share online, or learning how to spot scams, these small actions can make a big difference. Cybersecurity Awareness Month aims to help you, your family, and your organization stay safe in an increasingly digital world. At Vantage, we proudly support this initiative because we believe that cybersecurity awareness and training is for everyone, and especially in higher education, can make the world a better, safer place.

This post was authored by Senior Strategic Consultant Jacqueline Pitter, who advises clients on network modernization, business continuity and disaster recovery, information security program development, and technology architecture.

Need Help?

Our team of higher education experts is available to facilitate strategic planning and other services with your organization.