Recent phishing emails at Grand Valley State University have raised concerns among students and faculty whose likenesses are being used to commit fraudulent check scams that could cost over $1,000.
Often posing as a remote job or internship opportunity, these emails appear in a student’s inbox with vague information and accepting applicants on a “first come, first serve” basis. These hackers will almost always use a faculty member’s name paired with some form of contact information.
GVSU Institute of Cybersecurity Education and Research Director Andrew Kalafut spoke on his experience with phishing and trends he has seen at GVSU.
“I have my own experience with finding out that my name was used in these (scams), and I have heard over the past couple of years from several other professors whose names were used in these,” Kalafut said. “I’ve also heard from students who try to check in with them using the contact information on the University website and of course, it did not match what was in the scam.”
Students are encouraged to send a resume and an expression of interest to the number provided within the emails, securing contact with the scammer.
“It makes the scam more believable by using the names of actual professors,” Kalafut said. “A lot of students don’t have any contact with the actual professor to alert them.”
Once students are in contact with the scammer, they are asked to deposit a check that uses GVSU iconography and logos to imitate legitimacy. This check is usually labeled as a stipend or as a deposit to cover supplies needed for the ‘job.’ Once this is deposited into a student’s bank account, the scammer will ask a portion be sent back to them immediately via mobile app like PayPal, Cash App or Venmo.
Senior Vice President and Chief Administrative Officer Liz Bracken of Grand River Bank in Grandville provided advice for students receiving phishing emails.
“In general, our best advice is to always verify directly with the person or company asking for something by contacting them at a number you know to be accurate,” Bracken said. “Anything that requires immediate action is likely a scam.”
If the scam is successful, the victim would send a sum of money through the app of the hacker’s choice and eventually, the bank would recognize the check as fraudulent and void. However, whatever amount is sent to the hacker would then still be deducted from that account, sometimes leaving students in debt.
This has raised concern for GVSU Assistant Vice President and Chief Information Security Officer Luke DeMott, who said there’s no single solution for getting rid of the issue.
“There is no silver bullet to get rid of phishing,” DeMott said. “This is the number one attack surface for every industry vertical that I know of.”
These particular phishing scams also use the assistance of AI chatbots such as ChatGPT to tailor each message and make each scam unique, sometimes bypassing the filtering system GVSU has in place to prevent them.
“What you’ll end up seeing is a filter working great for a couple of weeks or a few months, and then the scammer makes just enough changes to their email,” Kalafut said. “They send (it) out, (and) it doesn’t get caught by the filter.”
The University’s Information Technology Department said it’s taking preventive action to continue to improve scam detection.
“We have meetings that are held weekly to try to prevent spam and phishing, and rip them out as much as we can, but it is an ever moving target,” DeMott said.
Bracken added that it can be disheartening to think about the number of people trying to take advantage of others, but”knowledge is power and being diligent is your best defense.”
