The COVID-19 pandemic has provided added cover for malicious and criminal activity: Millions of pounds have already been lost to scammers utilising the outbreak. Be wary of messages mentioning the pandemic. They will often claim to be from sources such as the Government or World Health Organisation or even your University.

See Cyber Safe Warwickshire's page for more details.

Cybercriminals are targeting Warwick staff and students along with many other institutions and businesses. We have gathered together this guide on social engineering and the methods commonly used in cybercrime - and how to defend against them.

Scams Targeting Students

Many scams are levied specifically at students, particularly early in a new academic year when there’s a high volume of communication and new students are still getting to know their environment. At this time please be aware of any unsolicited contact that asks you for personal information or money. Scammers will often claim to be from legitimate organisations and authorities like the University, Banks or the Police. If you receive requests for personal data or account details and are not sure if they are legitimate, find contact details for the organisation in question and call them to check the request directly. NEVER provide money or sensitive information to anyone who contacts you without seeking more information.

If you fall victim to a scam, report it as soon as possible – it is not your fault. Contact Campus Security so that they can direct you to the appropriate support services and report the incident to Action Fraud. If you receive any scam emails, forward them to the IT HelpDesk. International students are often specifically targeted and should take extra care when receiving unfamiliar communications.

 

This list includes some common examples of cyber-criminal activity targeting students:

• Home Office/Embassy fines – Students are contacted by phone or email by cyber criminals claiming to be from the Home Office. They are often able to spoof real email addresses or phone numbers so appear legitimate. They will claim legitimacy by demonstrating that they know information about the student such as their address and passport number. They will claim that there is a problem such as a visa issue and demand that the student pays a fine. More information can be found here.
• Fraud allegations/police incidents – Students may be contacted by cyber criminals claiming to be from the Police. They will accuse students of perpetrating some kind of crime, often money laundering, or will claim some other serious incident has taken place. They will demand the student hands over bank account details and copies of identification to prove their innocence. This can result in the loss of tens of thousands of pounds.
• Currency exchange scam – Cybercriminals may advertise a service providing better currency exchange rates and will ask that money is transferred to them. Tens of thousands of pounds have been lost in some instances.
• Spear-phishing scams – Spear phishing scams involve fraudulent emails being tailored to whoever they target. Cybercriminals may find information on a student (by stealing their username and password for any accounts they might have). These can often be very convincing. For example, a student may receive an email appearing to be from the University asking for payment of fees around the same time that the student receives correspondence about enrolment.
• In-person scams – Students may be approached by people claiming to be representatives of the University such as professors or administrative staff. They may ask you to transfer money for tuition fees, accommodation fees or event tickets. No university representative will ever approach you in person asking you to transfer money. If you are approached in this way, do not provide any money or personal details, Report it immediately to Campus Security.
• Private video chat scams – 'Romance scammers' often engage in a form of 'sextortion' which involves cybercriminals pretending to be romantically interested individuals and invite the target to engage in private video conversations. The scammers will record these and post any compromising material online. They will then extort the target for large sums of money in order to have the footage removed. This scam is commonly levied at individuals from East Asia.

 

So what is Social Engineering?

Social engineering aims to manipulate individuals into giving up confidential information. Cybercriminals are trying to obtain any personal information that may be useful - passwords, personal data, bank or passport information or access to their computer via the installation of malicious software.

Criminals use a range of social engineering tactics because it is often an easier process to trick someone into giving away personal data than it is to hack software or password (unless the password is not strong).

The following guidance aims to raise awareness of social engineering by providing examples and types of methods used by scammers and tips on how to defend against them.

Types of Social Engineering

Contact IT helpdesk immediately if you feel you are being targeted by scammers. Follow the advice below to avoid falling victim.

Name	Method	Defence
Phishing	Typically involves the sending of emails to multiple recipients usually to get victims to click links and reply with information.	Don’t reply or click on links you are unsure of. Check company emails on official websites, protect your devices with anti-virus software and apply strong spam filters in your email settings.
Spear-phishing	Targeted at you specifically, using any available information about you to sound more convincing. An example of this is where scammers pretend to be management staff and ask you for data or money.	If they claim to be a person you know, contact that person by other means to verify the request.
Whaling	These are spear-phishing attempts aimed at senior individuals in an institution or business. Scammers will put more effort into these as there is a greater potential pay-out.	If you are a senior (higher grade) University member, be wary that you may be subject to this.
Shared Document phishing	These are fake messages claiming that a document has been shared with you.	Do not click suspicious links or download files you are not expecting to receive.
Vishing	Vishing is short for ‘voice-phishing’. It involves scammers calling their targeted individuals on the phone to convince them to part with confidential information.	Be suspicious of unknown numbers and unsolicited calls. Do not agree to hand over sensitive data or install software on your device on the advice of people who call you. If they claim to be from a legitimate source, find contact information from an official website and call them to check.
SMShing/Smishing	SMShing or smishing both refer to phishing attempts sent via text. The same principles for other phishing attacks apply.	Search numbers online to see if they are official or if someone has posted on forums about them being scams. Don’t click suspicious links or reply to unsolicited texts.
Social Media Phishing	Scammers utilise social media to create fake profiles that look real, exploit existing profiles and use your publicly available information to trick you.	Be wary of unsolicited messages. Do not click links that look suspicious or come from strangers.

Examples of Social Engineering

Contact from a friend	Scammers gain access to an email account and send messages to the contacts on the account. If a friend’s email account is compromised, you may receive scam messages apparently from them, a known friend. The scammers may suggest you click a link or download an attachment in order to take control of your account, inject malicious software or steal data.
Contact from a trusted source	Unsolicited contact from cybercriminals pretending to be from a trusted source - a bank, government agency, tech company, employer or University. They will try and steal your login credentials or other sensitive data or inject malicious software. It is common for scammers to mimic University staff.
Answering your unasked questions	These attempts rely on trusted authority and involve the scammer posing as a well-known organisation (as above). They might claim to be responding to your request to fix a problem; for example, claiming to be from Microsoft, asking to take control of your machine to remove a virus.
Creating distrust	Perpetrators of this activity may include people you know personally. They try to gain access to people’s accounts (like email or social media) and use them to spread lies and incriminating information through false messages and doctored images. Their goal is usually extortion or reputational damage.
Urgency	Email communications that present scenarios that need you to act as soon as possible to make you panic and not stop to think or check information.
Generosity	You may be exploited by requests for charitable donations in response to a distressing story.
Verification	Fake log-in screens or stories which request verification of log-in credentials and other personal data to steal it.
Temptation	False communications that announce you’ve won a valuable prize, tempting you to take the risk and hand over data or control to claim it.

Guidance on Phishing Emails

As this guidance explains, a phishing email is a deception designed to get hold of your personal details or money. These emails come in many shapes and sizes, but they will be designed to look authentic and legitimate. They often come from an official or ‘known’ entity – a postal or courier service, a bank, the University or your department or a high-profile individual. Once you have opened a fraudulent email, it will normally ask you to take action – to click on a link or open an attachment. This action usually provides cybercriminals with access to the personal information they’re seeking.

How to avoid getting caught out

1. Read emails carefully before acting. Phishing emails may include a generic greeting (e.g. ‘Dear sir’), an overly-friendly tone, grammatical errors or an urgent request. Take a moment to consider the contents of the email before doing anything.
2. Exercise caution when opening links and attachments. Hover over any links to make sure they’re legitimate. If you’re unsure, contact the ITS helpdesk: helpdesk@warwick.ac.uk
3. Never reply to an email asking for your passwords, PINs or any other account details.
   The University will never email or phone you to ask for your account details. Likewise, any email asking for bank details will be fraudulent, without exception.
4. Verify the source.Check the sender’s email address when you receive an email and when you reply. Malicious scammers might be able to spoof or fake the ‘From’ address in an email to make it look like it’s from someone you know, but when you reply the address may change. If in doubt, type in the email address manually.
5. Report it.Report anything suspicious to the ITS Helpdesk, including attachments or links you’ve clicked on.
6. Turn on two-step authentication.This will ensure that only you can access your Warwick account. Find out more about setting up two-step authentication