Increase in administrator phishing messages

Recently BCTC has seen a sharp increase in messages purporting to come from a senior-level College administrator, usually with the subject “URGENT”.  The message text will be something like:

“Are you available. There is something I need you to do. I am going into a meeting now with limited phone calls, so just reply my email.”

If the recipient replies to the sender the sender will, still posing as the administrator, ask the recipient to buy several iTunes or other gift cards, and email the codes on the cards, for which they will be reimbursed when the sender returns to campus.  We have also seen more sophisticated scams—usually directed at College employees in the Administration and Finance office—asking for wire transfers and other financial transactions.

These messages are fraudulent.  The sender is attempting to exploit the recipient’s desire to help an administrator.  These messages are often arriving on the weekend or after normal business hours, both increasing the likelihood that the recipient will believe the message, and knowing it may be harder for the recipient to verify the sender’s identity.  While no one at Baruch has actually purchased gift cards to our knowledge, it is important for the College community to remain vigilant about scams like these, as it may also lead to account password compromise or other exploitation of the recipient’s personal information.

We recommend the following steps to not fall victim:

  • In nearly every case the sender address is obviously not the Baruch College email address (recent ones were lastname.baruch.cuny.edu@outlook.com, for instance, although others have come from Gmail or other email addresses).
  • Always be suspicious of messages with grammar, spelling, and punctuation errors.
  • If you wish to verify that it is the actual sender, you can reply by forwarding the message to the purported sender’s baruch.cuny.edu email address.
  • Any communication with a senior leader in Baruch that you are skeptical of can always be verified by having the person call you directly, or by involving another Baruch employee, usually the administrator’s assistant or another coworker.
  • A Baruch College/CUNY administrator has no legitimate reason to have a member of the Baruch College faculty or staff buy gift cards on their behalf, nor will they ask another faculty or staff member to engage in unusual financial transactions on the College’s behalf.
  • In no case should you be sending gift card codes in email.
  • In general, it’s always better to be suspicious of such requests and seek verification or even just ignore them.
  • Any suspicious email can always be forwarded to the BCTC Helpdesk for verification. Even if you’re skeptical but not 100% sure please send the email on and we can help verify its authenticity.

While BCTC will continue to develop strategies to block such fraudulent messages, it is impossible to catch everything all the time, and we need our user community to remain vigilant at all times.  Specifically, scammers will continue to change and improve their techniques as old techniques stop working, so the tools you might use to identify a fraudulent message today may not be the same tomorrow.

Also note that Baruch is far from unique in being the victim of these attempted scams.  The Chronicle of Higher Education recently posted a story about them at https://www.chronicle.com/article/Phishing-Scheme-Targets/245535.