The most common scams targeting the UB community

A graphic featuring sharks swimming around a UB logo.

Scammers are always looking for new ways to take advantage of students, faculty and staff. 

Published August 26, 2024

With increasing opportunities to hand out our personal information, the number of online scams are skyrocketing. Here's a look at the most common scams affecting UB and the steps you can take to avoid them.

Know why scams occur

Scams happen when we provide scammers the chance to access our information.  

  • Easy access: We willingly provide our personal information on social media all the time. Even taking those innocent-looking “tell us your maiden name and we’ll tell you what you ordered at Starbucks” quizzes can siphon your personal data.
  • Poor security: Cyber attackers are able to test billions of password combinations in a second, leaving those of us with weak passwords and no two-step verification vulnerable.

Scammers are also compelled, first and foremost, by financial gain.

  • Greed and/or financial difficulties: Most likely, an individual trying to scam you is trying to make easy and fast money.

Why are students overwhelmingly the target of some of these scams? In particular, students comprise 95% of all targets for fake job offers, because students are more likely looking for flexible or remote work opportunities (which conveniently means you'll never meet the person scamming you in person). Students may also be in greater need of a job.

International students are disproporionately targeted as well, because scammers assume international students will be less likely to detect a fraudulent email than those who speak English as a first language.

Know the methods scammers use

Phishing is the most common ways scammers gain access to your personal information by trying to establish a relationship or gain your trust. Phishing attempts don't just target email, either. Scammers may use:

  • Email attachment and links
  • Phone calls
  • Pop-up windows
  • Direct messages
  • Text messages

In particular, look out for:

  • Requests for personal information: These may or may not include threats.
  • Not being addressed by name: They may use other ways to address you, such as: Customer, Mr./Mrs./Miss, User, etc.
  • Spelling and grammatical errors
  • The promise of easy rewards or services

Despite the typical spelling and grammar errors, scam emails can look surprisingly legit. Scammers often impersonate large, reputable organizations (even UB!) by taking their logos and branding from another online source to make their scam emails look more official.

Follow the instructions on the UBIT website for reporting a phishing attempt if you think you have received one.

Know the most common scams

Fake job scams

Someone contacts you with a “too good to be true” job opportunity: common offers include caregivers, mystery shoppers, administrative assistants, rebate processors or models/influencers. These jobs, while often entry-level, claim to offer great pay, short working hours and lots of flexibility.

Some variations of this scam offer to find you a job placement, or to get you to buy gift cards, bitcoin or other purchases, but these scams use several different tactics.

Fake job scams can appear as though they come from a company, or an individual (for example, you may receive an email asking you for recommendations for a tutor). 

Look out for:

  • Credit report requests: A company is supposedly impressed by your resume and wants to hire you, but first they need to check your credit score. You may then be directed to a website where they ask for personal information, including name, address, and social security number (SSN).
  • Job application requests: You are asked to fill out an application for a job. Then, you are directed to a website and asked to provide your personal information.
  • Requests for a background check (at your expense): A position has opened up, but you are responsible for paying for the background check, possibly with a pre-paid Visa card.

Ways to stay safe:

  • Verify the contact and company first before communicating. Search the person, as well as the company, who reached out to you online to make sure they are both legitimate.
  • Don't give anyone your personal information like your home address, driver's license or SSN over email or phone. 
  • Contact the company directly (use their publicly available contact information) to verify the job offer.
  • Your best option is to delete the email without responding or clicking any links or attachments
  • If you already responded, cease correspondence. 
  • If the sender requested any action on your part, contact the UBIT Help Center right away

Supervisor/"gift card" scams

You receive an email from someone who claims to be a UB official, or maybe even your supervisor… but isn’t. They need something done quickly, but can’t talk over the phone. Typically, they’ll ask you to buy gift cards for them.

Look out for:

  • An inability to talk on the phone: They will claim to be someone you work with, but will only be able to communicate over the phone because they’re in a meeting, or out of the country.
  • A guilt strategy: Maybe it’s for their niece’s birthday, and they forgot to get something. If you email them back, you may even receive a long and convincing story to this effect.

Ways to stay safe:

  • Always be extra cautious when someone asks you for money, especially over email. Take extra steps to make sure the person is who they say they are.

Immigration scams

International students are often the target of this scam, in which someone calls you and threatens deportation unless you give them money immediately. This scam is quite common, and there are easy ways to detect it:

Look out for:

  • Phone call: The U.S. government does not conduct immigration business over the phone. If there is an important change in your status, you will receive it in writing.
  • Requires immediate payment: You will also typically be notified in advance (usually by writing) if you owe any money to the U.S. government, and will be given a date in the future when the payment is due.
  • Payment with gift cards or cryptocurrency: These callers often require you to pay with either gift cards (like Google Play or iTunes) or cryptocurrency (like Bitcoin). Neither are acceptable forms of payment for official government business. Gift cards and cryptocurrency are two forms of payment preferred by scammers, because it is easy for them to take this payment and disappear without being tracked.

Ways to stay safe:

  • Call USCIS’s National Customer Service Center at 1-800-375-5283: You can ask questions about immigration and status and get a legitimate answer.

Cryptocurrency investment scams

This scam, spotted by the FBI in 2022, targets mainly Chinese American professors. According to the FBI:

"Criminals contact Chinese American professors, claim to be associated with legitimate investment firms, with branches in Asia, and solicit investments in cryptocurrency. The scammers communicate in both Mandarin and English while using email and instant messaging applications. If the scammers are successful in obtaining wire transfers, they direct their victims to fraudulent financial platforms that display fake account balances, and funds which are not available for withdrawal."

Look out for:

  • Unsolicited email or messages: the scammers contact their targets over email, purporting to be from an investment firm.
  • Cryptocurrency: the scammers request an investment made in cryptocurrency.
  • Mandarin or English: these scams are communicated in either English or Mandarin, and typically target Chinese American individuals.

Ways to stay safe:

  • Be skeptical about any unsolicited investment pitches, particularly those claiming to come from Asian firms or firms with branches in Asia. If you believe you may already be a victim of this scam, contact the UBIT Help Center at 716-645-3542.

Tax scams

In 2021, the U.S. Internal Revenue Service (IRS) warned that scammers were targeting .edu email addresses with a tax scam where they impersonate the IRS and ask people to click a link and submit a form to claim their refund. These scams use the IRS logo in their email, and various subject lines like "Tax Refund Payment" or "Recalculation of your tax refund payment." 

The link in the email leads to a fake IRS site that collects your social security number, date of birth and other information that can be used to fradulently steal your refund.

During tax season, if you're waiting on or unsure of the status of your refund, you should check the IRS' official Where's My Refund? page on IRS.gov. 

Invoice scams

You’ve received an invoice from a reputable company, but something seems off. Trust your gut, and make sure it is real. Scammers have taken to sending out fake invoices so consumers either pay the invoice directly, or call the scammer, and give them access to their computer and banking information. And don’t call the number on the invoice to check things out. Make sure you’re calling the real company.

Google Docs/M365 phishing scams

This scheme tricks individuals into granting access to their Google or Microsoft accounts by sending emails that appear to be from trusted sources, often indicating that the sender has shared a document with them and directing them to a what appears to be a Google or Microsoft sign-in page.

In some cases, it may actually be a legitimate sign-in page. Using what is called an adversary-in-the-middle (AitM) attack, the threat actor can insert themselves in such a way that when someone clicks the link and logs into the legitimate sign-in page, they are able to capture their credentials and their multi-factor authentication code (2FA code).

The attacker can also use a fake Google or Microsoft log-in page that looks just like the real thing to capture credentials. 

Once the credentials are entered, cybercriminals can access personal information, send spam, and potentially commit identity theft. Recognizing the signs of this scam, such as unexpected emails, generic greetings, urgency tactics, and suspicious URLs, is crucial to protecting your online security. 

To safeguard yourself, enable two-factor authentication, verify the sender's identity, and hover over links to preview URLs before clicking. Make sure to report any incidents to UBIT, which you can do online. If you've fallen victim to the scam, immediately change your passwords, review account activity, and monitor your financial accounts for suspicious behavior.

Know what to do if you're a victim

If you think you have been the victim of a scam, there are several steps you should take:

  1. Change your password of accounts involved in the scam
  2. Contact and inform your bank
  3. Contact local police (For members of the University at Buffalo, please contact University Police)
  4. File a complaint at the Internet Crime Complaint Center

UB Information Technology News keeps UB students, faculty, and staff informed about their IT services and showcases creative collaborations between UBIT and the campus community. Published by the Office of the Chief Information Officer at UB and distributed via email as The Monthly Download. Edited by Diana Tuorto, IT Communication and Engagement, dianatuo@buffalo.edu.

Know the methods scammers use