← Back to News List

“WorkStudy Update!” Job Phishing Scam

Same Scam, Different Details

The UMBC DoIT has been notified of a compromised UMBC account used to send out phishing emails. An example of the email chain is shown below. The name and email address of the compromised UMBC account have been removed for privacy reasons, as well as the name of the user who reported the email.

Initial Scam Message

From: COMPROMISED ACCOUNT <@umbc.edu>

Date: Fri, Aug 28, 2020 at 7:47 AM

Subject: WorkStudy Update!

To:


Good morning!

My name is <COMPROMISED ACCOUNT>and i currently work with the UMBC educational planning center and i would like to inform you that there is a job opening opportunity available to you, This opportunity is only part time and is not expected to clash with your current school/study schedule.Kindly send in an instant reply if you are in search of a job so you can receive further information..  


Follow-up Scam Message

From: career management jobs <careerjobsdepartment@outlook.com>

Date: Fri, Aug 28, 2020 at 8:48 AM

Subject: Re: WorkStudy Update!

To:  <@umbc.edu>


Hello <NAME>


Thank you for your interest in the available job position, kindly

click on the URL below to view the application portal


https://tinyurl .com/JOB-UPDATE


The first email is similar to a recent trend in phishing campaigns that we have recently seen, except this one uses the compromised account holder’s name in the email message and has changed  the subject to “WorkStudy Update!” These campaigns, even if sent from different users with different subjects do seem to have a pattern of using “WorkStudy” in the subject as well as having a similar email format for both messages.


If the user does respond to the first message showing interest, they will receive the second message from a different email address. This is because in the email headers of the first email from the UMBC account, the reply-to is set to the <careerjobsdepartment@outlook.com> so instead of the user emailing the <@umbc.edu> email they are emailing the scammer directly.


The second email contains a link to a malicious site. If you do receive this email please do not click on the URL. In previous similar scams, the scammer is seeking personal information such as name, phone number, email address, home address, age and current occupation.  It also invites the user to ‘tell a bit about themselves’ in a free-form text box.


If you do receive this or any other email that you suspect is a scam, please do not click on any URL or reply. Either of those actions confirms to the sender that your email address is valid. Please forward the message (with the email headers) to security@umbc.edu.


How do I forward full email headers?

https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970


To read more articles published by DOIT visit: 

https://itsecurity.umbc.edu/critical/?tag=notice

https://itsecurity.umbc.edu/home/covid-19-news/?tag=covid19

Tags:

Posted: August 31, 2020, 1:54 PM